September 09, 2004 - Acceptable Use Policies
Migrated from Archive
Instadoc0000008
Recently, it has come across my attention that many companies, at least in this area, don't have computer/internet usage policies in place. Some of these companies are quite large and the idea that they have gone for as long as they have without such a policy baffles me. Following one these surprises, I was asked to explain what a usage policy is and give some samples.
Once again, I was baffled. A company manager asking what a usage policy is? The idea totally blindsided me. As a result, I decided to drop a quick guidlines as to what are some things you want in your usage policy and some things to consider. As for the samples, there was google and it was good.
I've seen many usage policies, both for the internet and for computer systems in general, and they are pretty straight forward.
Intention - Why you are writing this policy. This can be a simple paragraph and it basically says you are writing guidelines that are designed to keep your systems safe, the company safe legally, and basically to ensure that usage of company resources goes along with company policy.
The Do's - Things you are allowed to do, these tend to be generalized and in many cases just state that the systems are to be used for company business only. Do not put Don't's here.
The Don'ts - Things you shouldn't do. This ranges from don't check personal email to anti-virus and spyware policies to do not download MP3's. Basically you want to think of every way you can possibly get in trouble and write a Don't for it.
Consequences - Often the most neglected; consequences for going against the policy are listed here. This can get convoluted so make sure you outline. Also, you should make sure the punishment fits the crime. If someone check's their home email, for instance, it may loose the company 3 minutes of time. If someone downloads an MP3, the RIAA might sue the company for several thousand dollars.
Finally, be thoughtful of your employees. Many of the policies I have seen are best described as Draconian. These policies put too much restrictions; no e-mail, no IM; and most importantly they do not work. People have no intention of following them, and the consequences are not deterrents. Think within reason. Many companies don't like Instant Messaging and personal e-mail in their offices, and feel that the employee is stealing time by using these services. There are a few things that managers need to realize about this mindset. First, happy employees are productive employees. If you let them have their personal communications, they will feel you trust them and that you believe they are responsible; this will make them happy. Secondly, if Susie in accounting has to ask Tom in sales something she could IM him if he was on her IM list. Much faster then e-mail, and depending on how geeky Tom is, he could get the IM just about anywhere. Finally, if you remove IM, you are removing a very valuable think-tank. On several occasions I can recall not having any clue as to how to find a solution to a particular problem. A quick IM and I had twenty buddies helping me. In ten minutes I would be able to fix something that would have taken me a week to stumble upon myself. Oh, and employers: guess what? In that scenario you paid one person for the work of twenty-one people. Sounds like a profit to me.
This is just my take on usage policies, not set in stone. As always I recommend talking with all the managers to make sure that the policy reflects the culture of the company, talking with the lawyers to keep all the going-ons of the business legal, and truly ask yourself, how much do you want to trust your workers. If the answer to the latter is not very much ... then perhaps a usage policy is not what you should be looking at right now.