This chapter provides a thorough guide to many security issues. The authors encourage writing strong enforcement statements of acceptable use policies (AUPs) and provide examples of wordings and a best practices checklist. They cover how to limit authority and separate duties and how to pinpoint accountability. The chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg; ISBN:0-072-22697-8, McGraw-Hill/Osborne, 2003.
It may seem that the first logical step to take when developing an enforcement policy is to decide what the proper response to noncompliance should be. However, writing enforcement language that states what your company will do is more important. Putting strong enforcement statements into an AUP because you think they will deter abuse is foolhardy. Enforcement statements should not be written in the hopes that their language will prevent it; they should be written to define the punishment for noncompliance. More harm than good can be done if a strong enforcement policy is not applied when violations occur.
In addition to writing statements that accurately reflect the actions that will be taken, the following items should be considered when writing AUP enforcement text:
Consult with your legal representation. Laws may require your cooperation with law enforcement, the reporting of certain violations, treatment of those accused, punishment meted out, and disclosure of private information. How enforcement policy is stated may also have legal bearing. It is best to have legal advice from those with legal background and knowledge in this area.
Ensure management agreement on the consequences listed. Without management agreement, you may find yourself with a tough enforcement policy that no one is willing to actually use. Think of things that may cause problems; for example, discontinuing services such as network access may not be a valid, in-house rule if network access is required for the employee to do their job. Discontinuing Internet access, or restricting access to specific site and/or specific network servers, may be a more enforceable policy.
Invite participation by all stakeholders. Just as the policy itself should be developed in total with everyone's input, so should enforcement be discussed with them. Although it's true that laws and management policy may dictate what must be stated in certain parts of your enforcement document, you'll get more voluntary participation if the people to whom a policy applies have some say in its development.
Develop the policy and its enforcement rules as part of an overall security policy. Other parts of the security policy may have enforcement clauses, too, and you will want to coordinate them.
Develop enforcement rules for each variation of the AUP. There is no single AUP; instead, there should be an AUP for different IT products and/or roles. The most common AUP will be a broad policy that covers workstations, as well as access to the network and Internet by most employees. You will also want to have a separate AUP that addresses the practices of IT administrative staff. For example, IT pros have a higher level of access to systems than others and might not be held to the same restrictions of use as most employees. So a separate AUP should dictate what constitutes acceptable use of systems by them. Likewise, a more severe enforcement clause will lay out punishment for noncompliance. IT pros can do damage without having to illegally hack systems, so the consequences for their irresponsible actions should be appropriate.
Where possible, enforce the policy by using filtering technology. Use a product that blocks site access and records access attempts and access and report violations.
Consider a stepped enforcement rule. On the first violation, perhaps dependent on the type of violation, a lesser punishment such as increased monitoring and more restricted access may be appropriate. After a second violation, something stronger may be in order. At some point, perhaps dismissal.
Determine when and if you will bring in law enforcement. Laws are laws, and you are obligated to follow them, but there may be gray areas. For example, if an attack is stopped before it is successful and you learn it was carried out by the son of the Vice President, do you smile and shrug? Call in the FBI? What if the attack was successful? Would it matter what the nature of the attack was? Before you chastise me for not recommending a zero-tolerance strategy, do you have employees arrested for stealing a few paperclips? You should always obtain legal guidance in this area.
Designate who in the organization will be responsible for enforcement. This individual should have the authority to enforce the policy. The Chief Information Officer (CIO) may be the appropriate choice in some organizations.
Let everyone know the rules. Employees should be informed of the policy and have the opportunity to discuss it and understand its meaning and the consequences of noncompliance. The policy should be reviewed with them when they join the company and at least once per year thereafter. Have them sign off that this was done and provide a contact person for them so they can ask questions at a later time if they want to. If possible, place the policy online and remind employees of their required cooperation. Some organizations state the existence of and provide a link to the policy in the system logon banner.
Review the policy periodically. Laws, people, processes, and times change. Your policy may, too. Keep the policy and its enforcement section up-to-date.
Be prepared to mete out the punishments outlined in your policy. The worst possible thing you can do is have a harsh enforcement policy and then do nothing to carry it out.
Remember: this chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg (McGraw-Hill/Osborne, ISBN 0-072-22697-8, 2003).