IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Usage policy: why IT needs to take charge
Fri, 1st Jun 2012
FYI, this story is more than a year old

It is well known that without rules chaos abounds. In the business world we protect ourselves against disorder by setting down formidable volumes of policies and procedures. They provide a set of rules that ensure consistency of practice. They also help to guard the organisation against unexpected and unwanted outcomes, and unethical or even illegal behaviours. As circumstances arise, new policies are created and old policies are updated to ensure they remain relevant and practical for the business.
The big question however, is how do you apportion responsibility for creating, reviewing and maintaining policies that cross multiple business disciplines? What if a policy has legal, HR and operational considerations? It is an issue currently confronting numerous organisations as they come to grips with social media and collaborative applications such as Facebook, Twitter, LinkedIn and YouTube.
The complications of a social world
While the rapid take-up of social platforms is allowing businesses to reach audiences in new and exciting ways, staff access of these web sites while at work raises any number of issues that may require the rewriting of a company’s Acceptable Use Policy (AUP).
Typically the two biggest concerns are productivity and security. An employee who spends three hours a day on social media is wasting the company's time and money. And, since these applications were not designed for business, most don't contain the built-in security measures essential for the enterprise environment. Instead they pose a threat of viruses and malware that should raise a red flag within any IT department.
Other fast-rising concerns and questions to consider include:
- How do you determine who within the organisation is authorised to communicate via social media?
- How do you know when a tweet is simply an individual's right to comment or when it should be judged as an employee overstepping the bounds of acceptable behaviour?
Employee comments on social media sites are notorious for their ability to cause damage to an organisation's reputation, not to mention the financial impact. Also, sites such as YouTube or Peer 2 Peer can consume massive amounts of bandwidth, adding significantly to an organisation's operational costs.
Who owns the policy?
It is clear that the IT department has the requisite knowledge to create social media policies. They understand the issues and the way the technologies are used. It is equally clear that there are other departments within the company, HR, legal and finance, that are also stakeholders in this area. All have important input regarding the monitoring, enforcement and compliance of the policy. Yet according to a study conducted by Forrester Research Group, around 40% of businesses have an application policy that was formulated wholly within IT, without the necessary input of the other departments.
In order for an AUP to be widely accepted and readily implemented it is best to get all the relevant stakeholders involved in formulating the policy from the beginning of the process. Departments such as legal, finance and HR all have valuable knowledge that IT can leverage to design a policy that is effective across all business units. Legal plays a critical reviewing role, determining if the draft AUP is non-discriminatory, acceptable and enforceable. Finance is essential in understanding the potential financial exposure involved in breaches of the policy. With all the potential liabilities associated with social media, from intentional misuse to accidental confidential data loss, it is important that legal and finance departments are aware of the compliance risks.
Then, when an employee is hired, HR takes on the role of education. This is when the employee learns about the company's views on Internet safety and the specifics of the AUP. Education is critical in informing the employee about the policy, thereby making it enforceable. It also helps to protect the company with limited liability if litigation arises due to staff misuse. Moreover, making employees aware of the problems may prevent accidental spam or virus intrusions, and reduce confidentiality breaches.
HR also offers a natural fit for the ongoing role of monitoring and enforcing of the policy.
What should an AUP say?
In general the AUP should be designed to accomplish two important objectives: maintain employees’ high productivity levels, and keep a company’s computer system safe from hackers and malware.
This means it must outline the types of websites a user may or may not visit. For example, an AUP may put a ban on social media sites such as Facebook or stipulate use only during breaks. A well-drafted AUP should, therefore be focused on educating employees about protecting business assets and explain why such security measures are in place that enforce the policy.  The aim of the AUP should be to gain employee cooperation rather than creating resistance by helping them understand the reasoning and logic behind the policy.
Technology as a means of compliance
Technology will make monitoring of the AUP much easier. The security software used in most IT departments should be able to block users from visiting websites deemed unacceptable. The usual suspects of pornography, gaming and social media sites, are commonly excluded from most corporate networks. In some instances however, it's not practical to completely block a site. Facebook, for example, may need to be accessible to the marketing department to update the corporate page or for customer service to manage complaints or requests. However, it is not a tool to be used widely by all employees. The alternative in this case is for IT to utilise technology that goes beyond simple block or allow capability, and allow for granular access by groups, departments or specific individuals. The solution should also provide advanced reporting relating to employee use of the company network, and drill down to provide detail such as use by website category (eg Social Media or P2P) or by user group or department.
Armed with this information, it becomes a relatively simple matter for HR to identify people who are making excessive use of particular social sites or who are responsible for major surges in bandwidth use, and it is HR's role to then determine whether the actions constitute acceptable use.
Security software will also provide analyses of instant messaging and email. Along with audit trails of web activity, these capabilities can assist companies to prove that they are in compliance with regulations such as data privacy and stock market black-out periods. They can help to pinpoint whether insider trading or even unintentional leakage of sensitive data is occurring. In short, these tools provide the information that makes an AUP enforceable.
It's undeniable that social media has brought a new era of opportunity and cooperation for businesses, but it has also brought its fair share of challenges. Many companies have yet to fully appreciate the security and compliance issues related to unfettered employee social access. Security software may help with some aspects, but it is not a panacea. Creating an AUP with input from all stakeholders is critical because it will help to ensure a practical, enforceable and beneficial policy that is aligned to business objectives. As in so many other areas of business, collaboration between departments is vital in obtaining all the information necessary to generate the positive response that is desired.
Scott Robertson is vice president, Asia Pacific for WatchGuard Technologies. This article originally appeared in the May issue of IT Brief.