Written rules are important. It’s also important that they are enforced – and not on a case-by-case basis. Key mid-level executives and top producers often skirt the rules with little or no repercussions. For general Policies & Procedures (P&P), this is not good, as favoritism and unequal standards can – and usually DO - stir resentment within the work force.
For network-related P&P, this can be disastrous. The first question is: does your company have written Acceptable Use Policy (AUP) for computer/network/internet usage? If so, are they comprehensive or just general, like ‘don’t watch porn at work’? If not, why the heck not?
Leave any disciplinary actions for general (dress code, harassment, etc.) P&P to Human Resources – ultimately the network P&P boil down to one very important thing: Cybersecurity.
What good is it for your business if your top producer skirts authentication and security measures because they are inconvenient, yet this laziness brings about a security breach or leaves you in non-compliance with the rules of the regulatory agency that oversees your industry?
In a recent blog post, we spoke about Insider Threats. Employee negligence is the leading cause of breaches and therefore the #1 Insider Threat. The onus for negligent breaches falls not only upon the errant employee, but the management. When P&P are not enforced, the natural inclination among those who should take them seriously is that they do not. When there are no Subway cops, more people jump the turnstile without paying the fare.
Who is responsible for policies and procedures?
At the core, all P&P are a product of the company’s vision and goals, therefore the top executive management is ultimately responsible. The task of oversight and enforcement are delegated down to department and team management. As in many avenues, employee cooperation is a vital component – ‘Mary’ may be reticent to ‘make waves’ when another employee is engaging in harassing behavior, so it is not uncommon for such events to reported by a concerned third party.
It is not that easy with Cybersecurity - because it’s difficult to tell what P&P are being broken unless someone is looking over the shoulder of the abuser. This is where your IT services come into play, whether an in-house IT Support Department or an outsourced Managed IT Services provider. They generally function as informational, alerting management that network policy enforcement is needed, then any actions usually fall to Human Resources.
If you currently do not have a network Acceptable Use Policy (AUP), you need to create one now. Then you must implement strong and reliable enforcement procedures.
How do you create an acceptable use policy?
Your #1 resource is your Managed IT Services provider or internal IT Services department. Just from discussing this issue with other Managed Services Providers (MSPs) within the IT Support Los Angeles community, it is clear that any MSP worth its salt will have been urging their clients to put these policies in place.
If you are still operating in the dark ages and using a ‘Break/Fix’ hourly rate IT support ‘Guy’, you will probably find them less than helpful. Generally (not always), they do not have the knowledge or expertise to put together a strong policy – and they will bill you by the hour for whatever they come up with.
The simplest way is to have your Managed Services Provider produce the basic policy, then management should meet with them in a fairly open forum to hammer out specifics. Your MSP should know your business, the varieties of sensitive data and the regulatory compliances you must meet. They should have templates available, including their own internal written policies, so this is an easy start. F5 provides an in-depth analysis of Policy Enforcement HERE.
Important general components:
Identify crucial data and accesses.
Address legal and compliance issues.
Establish a policy on the use of employee-owned devices with network access (iPhones, iPads, etc.).
Internet use in general, but especially social media.
Feedback from staff.
Each industry will have unique specifics to add to the basic template.
In Summation
No matter what your network use policies are, if they are not written, with signed employee acknowledgements and, most importantly, if they are not enforced the threats to your network will not only become more frequent, the will also become more successful.
Frequently Asked Questions
Q: What is network policy enforcement?
A: The activities involved are the creation, management, monitoring, and execution of those written Policies and Procedures governing the use of a company’s computers and access to the business network or any other form of company communication.
The steps involved in enforcement vary, but generally consist of:
1) IT support identifying a violation of network P&P, relating the information to management.
2) Management compares the information supplied by IT support to the written P&P to ascertain that a violation has occurred. Investigation and an interview with the alleged transgressor for violation verification.
3) Referral to Human Resources for appropriate actions.
Q: What is an example of acceptable use policy?
A: The University of Rochester sums it up its own overview thusly: “Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connection time, disk space, printer paper, manuals, or other resources.” But that is generalized – your business and its practices will require very specific ‘Dos and Don’ts’.
Q: What are elements of an AUP?
A: The National Education Association lists the nuts and bolts – outlined in Education World:
A Preamble
A Definition Section
The Policy Statement
Acceptable and Unacceptable Use Sections
A Violations & Disciplinary Action Section
Q: What are possible consequences for not following the AUP?
A: Every business will have its own levels of punishment, but it should be made clear to every employee that violations can ultimately result in suspension or termination and even criminal charges. Failures to follow the AUP can result in massive damage to the company.
Is your network secure?
In terms of Cybersecurity and reliability, find out how healthy your network is. IT Support LA offers a FREE, no-risk network and security assessment. No strings, and no obligation.
Just fill out the form on this page or call us at:
818-805-0909