Considerations for an Acceptable =
Use Policy for=20
a Commercial Enterprise
Policies, policies, = policies
If you have attended any reputable = computer=20 security training seminars lately you are probably getting tired = of=20 hearing about policies. But policies are the high cover that allow = the=20 computer security professional to effectively operate in an = enterprise=20 where the ultimate goal is to produce a product at a cost that = allows the=20 company to successfully compete in the marketplace. This means = that cost=20 of providing computer security will always be involved in trades = against=20 other financial demands of the company.
In addition, no matter how large = the computer=20 security budget may be, the purchase and installation of various = hardware=20 and software security solutions will never completely solve the = problem.=20 Security system vendors will always be at least one step behind = the=20 changes in the business environment and users will always find = ways to=20 circumvent installed systems.
Recent studies by the FBI Computer = Security=20 Institute have shown that 70% of network attacks are by outsiders, = but=20 these same studies show that 75% of the dollar losses to = businesses are=20 from insider attacks 1. An acceptable use policy is a = first=20 step in restricting the insider threat as it defines the = expectations the=20 company has of it's employees as they utilize the company's=20 systems.
In developing the policy the IT = security=20 professional should coordinate with the company legal and human = resources=20 staffs. The legal staff can help to insure that the policy is = legal and=20 enforceable and the human resources staff will be called upon to = conduct=20 any employment related actions based on violations of the policy.=20 Therefore the input from these two groups is paramount in = developing and=20 successfully enforcing an Acceptable Use Policy. In addition the = IT=20 Security Professional must insure that the policy is consistent = with the=20 company's overall security policies and is fully supported by the=20 company's senior management.
The following paragraphs cover some = of the most=20 common considerations companies may need to include in an = acceptable use=20 policy. Each company's needs will vary depending on the type of = business=20 the company is in and the makeup of their employee population and = the=20 configuration of their information systems.
Applicability and = Purpose. A clear=20 statement of applicability and purpose can go a long way towards = enforcing=20 compliance, particularly if the organization will be giving = systems access=20 to personnel who are not direct employees of the=20 organization.
Changes. Nothing is a = constant as=20 change and this holds true of your acceptable use policy. As = technology=20 changes and new threats to the business emerge, there will be = changes to=20 your policy required. The company should include in the policy the = method=20 for communicating these changes to employees.
General Principles. It = is good idea=20 to include up front in the policy a statement of general = principles=20 regarding usage of the organization's systems. Are the systems to = be used=20 strictly for business purposes only or is some amount of personal = use to=20 be tolerated? If personal use is to be tolerated, what are the=20 limits?
Employee Monitoring. The = company may=20 wish to state their intent to monitor in the acceptable use = policy. In=20 some jurisdictions this morning may be required, in others it may = be=20 optional. The policy should state what the purpose of the = monitoring is=20 and how the results will be used. Companies should be cautious as = some=20 activity such as union activity cannot be monitored.
Adult activity. It is a = good idea to=20 include a strict prohibition against any adult activity such as = visits to=20 adult Internet sites or the distribution of adult content using = the=20 company's e-mail system.
Hostile workplace. In = addition to=20 adult activity there are other activities that can contribute to a = hostile=20 work environment and leave the company open to legal challenges. = These may=20 include harassing jokes, threats, and other items that have no = place in a=20 productive work environment.
Hacking. Companies = should include a=20 clear prohibition against using the organizations systems to = attack or=20 otherwise compromise systems the user does not have legal access=20 to.
Safeguarding systems and = data. The=20 company may want to make it clear that the user has a = responsibility to=20 properly protect systems and data the user is given access to. It = is a=20 good idea to require users to check any files brought into the = company for=20 viruses and malicious content prior to opening the file. A = prohibition=20 against introducing non-business related files should also be = considered.=20 In addition users should be cautioned concerning the distribution = of data=20 owned by the company to outside persons or organizations. =
Companies that deal in highly = technical areas=20 may find that their data is export controlled and may require the = proper=20 documentation prior to release to foreign persons. Users need to = be=20 cautioned that this requirement applies to electronic transmission = of data=20 as well as physical transmission.
Many companies require the use of = an=20 automatically activated password protected screen saver when there = is a=20 lack of user activity for a predetermined period of time. This = provides=20 some protection to the network and the user as someone other than = the=20 logged in user cannot easily use the logged in computer. In this = same vein=20 users should be required to log out when they will be gone from = their=20 workstation for extended periods of time or when they leave for = the day.=20 Some modifications to this requirement may be necessary for = certain=20 systems where the logoff would cause interruptions to an ongoing = process=20 and where the workstation lock provides a level of security = similar to the=20 network login process.
Protection of user ID and = passwords.=20 A prohibition against sharing user IDs and passwords should be = included.=20 Without such a prohibition the organization may find it difficult = to=20 clearly trace activity back to a specific user.
Modems. Organizations = need to=20 determine how the requirements for modems in the workplace will be = handled. Even in this day of web-based everything the requirements = for=20 modems has not been completely eliminated. When they are necessary = they=20 should be considered a deviation to policy with a defined approval = scheme.
Telecommuting Employees. = Organizations are promoting telecommuting to allow their employees = to work=20 from home, while they are on travel, or while visiting a client = site.=20 Depending on the environment the telecommuter may not have full = access to=20 all network functions. The following paragraphs discuss some of = the=20 telecommuting hazards that need to be considered when writing the=20 acceptable use policy.
Many organizations have implemented = web-based=20 e-mail to allow employees to easily access their e-mail from any = location=20 where Internet access is available. While this method of access = provides=20 the maximum availability it also opens the business up to a number = of=20 potential risks. If the e-mail is accessed from a public kiosk = what=20 control does the user have over the storage of temporary files on = that=20 kiosk? How certain can the business be that the kiosk operator has = sufficient controls in place to insure the privacy of the = communication=20 and the deletion of the appropriate files when the user is = finished?=20
Organizations that promote = telecommuting must=20 also evaluate the equipment that will be used by the telecommuting = employee. Allowing the telecommuting employee to utilize = individually=20 owned equipment places the network at additional risk. The = telecommuting=20 employee likely also uses their individually owned equipment to = access the=20 Internet for personal reasons at their home. The threats to the = company=20 network from private Internet activity abound. In 1998, the = National=20 Institute of Standards and Technology (NIST) categorized and = analyzed 237=20 computer attacks that were published on the Internet 2. = This=20 sample yielded some interesting statistics that should get the = attention=20 of every security professional:
Therefore the business network may = become a=20 target for trojans, viruses, and worms loaded on the user's home = computer=20 due to otherwise innocent Internet activity. The recent intrusion = into=20 Microsoft's systems appears to have been caused by just such=20 activity3. A telecommuting employee's home system = apparently=20 became infected with the QAZ trojan which was then transmitted = over the=20 virtual private network (VPN) set up between the telecommuting = user and=20 Microsoft. The QAZ trojan is a remote execution software that is = placed on=20 a computer through an e-mail attachment, usually a Word document. = Once the=20 document is opened the underlying macro is executed and sends the = hacker a=20 message that it has infected a particular machine. The QAZ trojan = then=20 sits waiting on the machine for instructions from the hacker. It = is quite=20 likely that the perpetrator of the trojan merely got 'lucky' to be = able to=20 get it onto a Microsoft employee's home computer, and then on to = the=20 Microsoft system. But how much more could be done if a perpetrator = was=20 actually targeting a particular business?
Companies who allow telecommuting = should=20 carefully evaluate the methods they will use to allow their = employees to=20 connect with the company network. Installation of a personal = firewall and=20 up-to-date anti-virus software on the connecting computer could go = a long=20 way to protect the company network from the passage of trojans and = viruses=20 from the employees location to the corporate network4. = However,=20 how does a company enforce a requirement that a telecommuting = employee=20 place a personal firewall and anti-viral software on the = connecting=20 computer if that computer is personally owned by the employee? = Should the=20 company dispatch technicians to their employee's homes to install = and=20 configure these software packages or should the company allow the = employee=20 to install and configure these packages? Obviously the best = solution is=20 for the company to provide the telecommuting employee with a = company owned=20 computer that is properly configured for connecting to the company = network. This adds cost to the telecommuting effort but it can be = money=20 well spent to protect the company resources.
E-Mail. Companies may = want to=20 include a section that specifically addresses proper use of the = e-mail=20 system. Items such as how long e-mail is retained on the company = servers,=20 how the e-mail could be used in litigation, and the legal = ramifications of=20 agreements made using e-mail should be addressed. In addition the = company=20 may wish to include cautions regarding addressing of e-mail to = insure the=20 e-mail is properly addressed to the intended recipient. The policy = should=20 also inform employees that the company reserves the right to = access and=20 monitor all e-mail messages stored on its computer system, = regardless of=20 their origin or content.
It may be necessary to caution = users about=20 using e-mail to send export controlled or company sensitive data. = The=20 company should insure that proper controls are in place to protect = the=20 rights of the company and to comply with export control = laws.
If the company intends to monitor = user's e-mail=20 activity the company may want to include a prohibition against the = use of=20 internet mail systems since mail sent via these systems cannot be=20 monitored. In addition the company may wish to restrict or deny = access to=20 anonymous remailers.
Internet Usage. The use = of the=20 Internet is probably the area that has caused the most problems = for=20 companies. The temptation to stray into non-business related sites = can be=20 overwhelming for some people. Businesses should be clear in the = acceptable=20 use policy as to what type of Internet activity is considered = appropriate.=20 The company may want to consider alerting the employees if the = company=20 will be providing supervisors with summaries of their employee's = Internet=20 activity. In addition the company may want to define how it will = handle=20 the discovery of employees visiting adult sites.
There are a number of threats to = the company's=20 data other than specific site content. Companies such as Napster = have been=20 set up to provide peer to peer networking for the purpose of = sharing=20 files. Companies should consider whether they will allow users on = their=20 network to access such sites. In addition these sites can be a = threat to=20 the companies telecommuting population if they are accessed using = company=20 portable computers which probably contain company sensitive=20 information.
Another threat is the offer of free = storage=20 space on the Internet. There are companies that offer users = significant=20 amounts of web accessible free storage. The benefit is that it is=20 available from anywhere. The disadvantage is that the company = cannot=20 control what data is sent to these sites by their users. Therefore = users=20 could be sending huge amounts of the companies data to one of = these sites=20 which the employee could then offer for sale to the company's=20 competitors.
If the company will be using = systems to block=20 access to particular sites the company should consider alerting = the users=20 to that in the acceptable use policy. The company may want to = consider a=20 statement indicating a right to block access to any Internet site = without=20 prior notice.
Software. The issue of = unauthorized=20 software use is looming larger every day in the business place. = The=20 Business Software Alliance has become very active in prosecuting=20 businesses found to be using unlicensed software. The company may = wish to=20 include a prohibition against users loading software not provided = by the=20 company.
1. Shipley, Greg. "How Secure is =
27 November 2000
2. Mell, Peter. "Computer Attacks: = What They=20 Are and How to Defend Against Them". May 1999. URL: http://www= .itl.nist.gov/div893/staff/mell/pmhome.html=20 (18 Nov 00)
3. Babcock, Charles. "Experts = Ponder the=20 Microsoft Attack." Interactive Week. 9 November 2000. URL: http://www.zdnet.com/enterprise/stories/main/0,10228,2652161,00.html= =20 (21 Nov 00)
4. Vaughan-Nichols, Steven. "Taking = Security=20 Home Could be Money in the Bank." 20 November 2000. URL: http://www.zdnet.com/enterprise/stories/security/0,12379,2655795= ,00.html=20 (21 Nov 00)