Acceptable-Use Policies: Human Defenses Michael Swart, Steven, Daniel Connor
Acceptable-use policy as a security and legal necessity. Balancing safety with piracy concerns. User accountability and responsibilities. Corporate accountability and responsibilities. Characteristics of an effective AUP. Learning Objectives
What is an AUP? An Acceptable Use Policy is a company policy that defines (or should define) acceptable and unacceptable use of all components of the company’s information, computer networks, and communication systems.
clearly specify the company’s standards for onsite access and remote access to corporate networks and secure use of company usernames, passwords, and computer accounts. An AUP should…
Introduction An AUP helps the organization fulfill its “duty of care” to provide employees with a non-hostile working environment. In general, a duty of care simply means that a company or person can’t create unreasonable risk of harm to others. A non-hostile environment is one where employees are free from actions that are offensive… – Morally – Ethnically – Racially – Religiously
Why do we need AUPs? Illustrated by 2 court cases: – California DMV vs Allstate Insurance – MCI Worldcom vs two employees
Allstate Insurance Co Employees Illegally Access Confidential Information In February 2003, the California DMV cut off Allstate’s access to digital driving records. A customer’s confidential address had been released which resulted in a written threat. Investigations found 131 violations of confidentiality rules.
Lawsuits Pending The DMV director said he would ask the state attorney general’s office to seek fines against Allstate. A civil lawsuit would be filed outlining the specific instances of improper behavior. Accessing DMV information under false pretenses carries up to a $100,000 fine for each violation.
MCI Worldcom’s AUP Leads to early Dismissal of Lawsuit Lawsuit was created by two employees that had received four s of racial jokes. They claimed that the company had been negligent by allowing the corporate system to be used for harassment. Also that the defendant retaliated against them for using the jokes in the suit.
Outcome The court dismissed the plaintiff's claim of negligence against MCIWorldcom. Three reasons: – Had an established acceptable-use policy that expressly prohibited discriminatory . – Had acted consistently in enforcing the policy against the employee who sent . – Took remedial action to enforce its written policy.
The Discipline and Diligence Defense Tier Inform employees of their responsibility and rules within the company. Rarely are these policies are updated Huge investments are taking place but are ineffective unless commitment is made from the employees. Discipline and Diligence break old habits with training, reminders, and enforcement.
Dual Functions of the AUP (1) Prevent misuses from occurring. – Help prevent security breaches by Informing employees of what they can and cannot do. Clarify expectations about personal use of company equipment, privacy, and user responsibilty. Warning employees of monitoring. Outline the consequences of non compliance.
Employee abuse increases Employees are more likely to abuse privileges when acceptable use has not been clearly outlined and enforced. According to the courts, if a company does not take action to prevent a hostile work environment, then it is guilty of promoting it. According to surveys by the ePolicy Institute, the AMA, and US News and World Report, 63 percent of US companies monitor employee internet activities. Employees’ and Internet records are being used against companies during the discovery process of lawsuits thus prevention is more critical.
Dual Functions (cont) (2) Legal Protection – A uniformly enforced AUP is supporting evidence that the organization exercised its legal duty to safeguard employees. – Companies have learned that policy is useless in court. – There are two legal doctrines relevant to employer liability.
Legal Theories and Employer Liability Issues Respondeat Superior Doctrine and Liability. Negligent Supervision and Duty of Care.
Respondeat Superior and Liability Respondeat Superior- a doctrine that holds employers liable for misconduct of their employees that occurs within the scope of their employment. Scope of their employment- conduct that occurs substantially within the authorized time and space limits of the job.
Continue: Respondeat Superior and Liability On November 23, 2001 the U.S and 29 other countries signed the Convention on Cybercrime. Seeks to ensure that when a company fails to supervise employees and when a computer crime is committed the company's held liable with it knowing, consent, or approval of that crime.
Negligent Supervision and Duty of Care Employer is also liable for the damages that result from negligent supervision of employees. This may extend to actions outside the scope of employment. Under the doctrine of duty of care, directors, and officers have a fiduciary obligation to use reasonable care to protect their company's business operation.
Continue: Negligent Supervision and Duty of Care Business can no longer rely on force majeure (“force of nature” or beyond human control”) to prevent hackers because these attacks have happened enough to become forseeable. In the case of a security breach the the corporate officers and directors can have a lawsuit filed claiming they did not ensure adequate protection.
Characteristics of Effective AUP’s Comprehensive Scope- must apply to everyone working and to all devices such as desktops, laptops, cell phones. Clear Language- must be concise and explain all unique aspects of the firm or business. Adaptive Content- must be able to have constant revision due to new technology.
Continue: Characteristics Extension to Other Company Policies- protects the intellectual property and prohibition of harassment in physical and virtual environment. – Virtual environment- where business is being conducted outside of the firm. Enforcement Provisions-must be maintained and enforced consistently or could be seen as discrimination.
Continue: Characteristics Consent- Acceptance and adoption of AUP should not be passive. – Require signed agreement. – Implied consent- usually on computers or machines that states using the equipments means you agree to all the rules and regulations. Accountability-constant researching cases to ensure the environment of workers is safe for them and other around them and that they are all treated equally.
AUP Template Chapter 6 provides an Acceptable Use Policy Template that can be used to review a current AUP or form a basis for a new AUP. Changing technology and legislation mean that AUPs can become outdated quickly and require at least an annual review.
Template (cont) There is no one perfect template for an Acceptable Use Policy. To compose a relevant and feasible AUP, managers must assess: – IT resources – Infrastructure – Culture – Business needs
Template Policy Key Objectives Protect company against computer crime, viruses, hackers, cyber pranks. Maintain a non-hostile workplace. Prevent sexual, racial, discrimination, copyright infringement, and software piracy. Maintain a productive workplace use of company IT resources.
Provisions and Prohibitions Users are not allowed to: – Forward or save chains. – use for discussion forms. – Use for personal gain. – Dishonor copyright laws. Users should: – Check daily. – Scan all new files being opened. – All files sent or received are company files and not to be printed/or leave firms physical environment. – Only let authorized users use certain IT resources.
Compliance The company may choose to monitor or review all use of its IT resources, including but not limited to: – sent and received. – Internet usage. – Computer files, documents, and faxes created, stored, deleted, or distributed. – Any files that contain images, text, video, or audio for content-installed software for licensing. All computer activities create audit trails! No user can view another persons with out permission.
Compliance Continued Users are to report any violation of the AUP to (specific persons, titles). All users assume full liability of IT resources. Users release the company from any and all liabilities or claims releasing to the company’s IT resources. The policy may be amended or revised as necessary by the company.
Summary Employers who have an effective, well- publicized AUP that is enforced with proper monitoring and violation procedures have a better chance of escaping liability and damages resulting from employee abuse. Those who do not are risking liability because employers have the burden of proving an affirmative defense in court.