Technology Unwrapped

The most important technology concepts, strategies and actions uncovered for your business.

How to Create an Acceptable Use Policy

man-using-stylus-pen-for-touching-the-digital-tablet-screen-6335 (1)_editedWhile technology plays an important role in keeping your organization safe from data breaches, security risks, and other malicious online behavior, it can’t do all the work by itself. The most secure companies create a culture that includes risk management, where employees are invested in taking steps toward reducing incidents by minimizing risky behavior and working to protect their technology and data assets.

One of the ways that you can help promote a culture of risk management is through creating and enforcing a clear and comprehensive Acceptable Use Policy. This is a policy that lays out what rules end users must follow when it comes to using technology, data, and the internet at your organization. Without further ado, let’s get into what an Acceptable Use Policy is and how you can create one for your organization.

What Is an Acceptable Use Policy?

An Acceptable Use Policy (AUP) is a formal set of rules that govern how employees at a company use computers, networks, and data. The AUP helps companies minimize their exposure to cyber security threats and limit other risks while working to protect the company’s reputation. This policy defines not only legal and compliance concerns but also rules for things like social media use and the use of personal devices.

An Acceptable Use Policy is only effective if employees are committed to following the policies laid out. That’s why the best policies not only outline the rules that end users should follow but also explain the rationale for why these rules are necessary. Team members are more likely to comply with the rules if they don’t see them as arbitrary or unreasonable but rather essential to protecting the organization as a whole.

How to Develop Your Own Acceptable Use Policy

Though AUPs will differ from company to company, here are a few important elements that every policy should include:

  • Scope
  • Code of conduct
  • Business use
  • Compliance and legal requirements
  • Data
  • Personal devices
  • Social media
  • Enforcement and consequences

Now, let’s dive a little deeper into what each of these sections includes.

Your Acceptable Use Policy should start by clearly defining the systems, devices, information, and communications that fall within the scope of the policy. This includes things like password requirements, voicemail, storage media, cloud computing accounts, and company software.

Code of Conduct

The code of conduct is one of the most important parts of your AUP. This outlines the expectations for end users while they are connected to your network. In this section, you need to clearly define prohibited activities, including items like activities that violate local, state, and federal laws; using inappropriate language online; and disclosing or sharing confidential information about the company, its clients, or its partners.

Compliance and Legal Requirements

Specific legal requirements and regulations will depend on your industry. For example, the health care industry must follow HIPAA guidelines, any industry that collects or processes information from EU clients must follow the General Data Protection Regulation (GDPR), and any industry that accepts and processes credit card payments internally has to follow PCI compliance. Your AUP should clearly outline the compliance and legal requirements of your industry, while recommending some best practices.

Business Use

Your AUP should also clearly define what is considered a business use for devices, networks, and the internet. This part of the AUP should let employees know they are accountable for anything they do while using corporate accounts and also describe expected ethical conduct while using these resources.


Your Acceptable Use Policy should outline what data your company collects and how that data is processed, stored, accessed, and disposed of. This portion of the policy should define what data is considered valuable data and what data must be backed up and/or encrypted. It should also outline the expectations you have for staff regarding its use.

Personal Devices

If you allow employees to use their personal devices at work, or for work outside the office, then you need to include this in your AUP. Also referred to as a Bring Your Own Device (BYOD) policy, this portion of your AUP outlines rules for what organizational data is allowed to be accessed on personal devices and how it may be transmitted and stored. This would also be the place to address any mobile device management software, antivirus software, or security controls your company requires.

Social Media

While social media channels can certainly benefit a company relative to digital marketing, social media use in the workplace can also open the  company up to significant security risks. Situations such as accounts being compromised by hackers or the accidental disclosure of sensitive information. By putting restrictions on social media use in your AUP, your company can work to mitigate security risks by limiting the amount of sensitive information stored or shared on these sites and on the devices used to access social media sites.

Enforcement and Consequences

Your company needs to enforce the AUP and develop consequences for those who do not follow the policies laid out in the document. Violations will vary in liability of risk, so your consequences should also vary depending on the severity of the violation, as well as the user’s intent. Additionally, you will  want to consider ways to discreetly enforce this policy by preventing the downloading of certain applications or using firewalls and DNS filtering to block prohibited sites. It’s important to note that you do not always have to download something to be infected with malware, sometimes simply visiting an infected site is enough to compromise your entire network.

Protect Your Business and Minimize Risk

Your Acceptable Use Policy will only be effective if your employees understand why it is important and necessary. Cyber security training is one way that you can work to educate your employees about how quickly your entire network can be impacted by actions such as connecting an unauthorized device, browsing irresponsibly, clicking questionable links or accidentally downloading malware. CoreTech offers cyber security training for Omaha companies that want to empower their employees with the knowledge and skills necessary to protect the company’s technology and data assets while preventing potentially devastating security breaches. We also offer tool sets and resources to put layered security protection in place. 

Contact us today to learn more, or for assistance drafting your organization’s Acceptable Use Policy.

New call-to-action

Topics: Staff Training, The Workplace