Minimalist Acceptable Use Policy?
April 24, 2006 5:12 PM   Subscribe

My company does not have a computer acceptable use policy. What is the bare minimum?

I'm the recently-hired IT Manager for a 400 person automotive retailer spread across 8 locations. I'm the first full-time IT employee they've ever had. I've been charged with revamping many of their technology practices, one of which is producing a computer acceptable use policy for each employee to sign.

At a recent steering committee meeting, I presented my 2.5 page version to our COO. He basically said "TLDR", and asked me to distill it to the BARE minimum.

I know of some companies that have one-line policies. Others I've seen run to five pages. I'm wondering what you consider the absolute minimum clauses that need to be included, in order to protect the company.

posted by Roach to Computers & Internet (27 answers total) 1 user marked this as a favorite
No porn.

Email for business purposes only (but it helps to be flexible here).

Warn them that internet activities may be monitored. No guarantee of privacy.

Tell them to warn IT about security problems. Don't tell everybody else first.

No illegal activities.

Do not disrupt the network by your activities.
posted by Dipsomaniac at 5:30 PM on April 24, 2006

This is probably one of the most important documents at work to have lawyer examined, since the whole purpose of it is to enforce rules that might involve firing someone.

Dipsomaniac has gotten the broad strokes of what to say, but you really should leave how it's said to a professional, otherwise you may find it hard to actually follow through and fire the porn-downloading P2P sharing warez spreading guy in accounting.
posted by tiamat at 5:34 PM on April 24, 2006

The first clause I have here, I consider essential. The others are based on personal observations from where I work (as half of a two-man IT staff) of things that would be useful to write down.
  • All activity on the Company's computers and network, including (but not limited to) use of the Internet, email, and instant messaging, is subject to monitoring. These activities may be logged, and such logs will be kept for as long as IT deems necessary.
  • Use of the Company's computers and network for activities that are not directly related to your job should be kept to an absolute minimum.
  • To ensure that our Internet connection is kept free for essential business purposes, "streaming" content (such as Internet radio stations and video feeds) is prohibited.
  • Installation of software, wallpaper, screen savers, or other downloads onto your Company computer is expressly prohibited, unless the file has been approved in writing by the IT department.
  • The volume of computer speakers should be kept to a level that will not bother your co-workers, both for music and for other sounds.
  • No device -- computer or otherwise -- is to be connected to the Company network without explicit, written approval from IT. This is especially true of any device that allows wireless access to any Company resource or to the Internet.

    posted by CrayDrygu at 5:38 PM on April 24, 2006

    Installation of software, wallpaper, screen savers, or other downloads onto your Company computer is expressly prohibited, unless the file has been approved in writing by the IT department.

    This provision is unnecessarily draconian, IMHO.
    posted by limeonaire at 5:42 PM on April 24, 2006

    "No porn."

    Oh yeah, that reminds me. You say it's a retailer, so I think you could get away with phrasing like this: "Non-business use of the Internet is to be limited to content that is generally non-offensive. If you would not show the material to a customer, you should not be accessing it."

    This is, of course, assuming that you want to allow non-business use of the internet at all. Otherwise...

    "Access to the Internet is granted for a limited amount of business-related use. Under no circumstances is the Internet connection to be used for personal or recreational means."
    posted by CrayDrygu at 5:43 PM on April 24, 2006

    limeonaire: Then you can come to my work and help me clean spyware and malware off the sales force's laptops.

    In some sort of happy Candyland world, the users could install whatever they want to. But malware is not only commonplace -- and most especially so in screensaver and wallpaper related downloads -- that you can't allow this and still keep things in good running condition.

    The "approved in writing" phrase is merely to prevent he-said-she-said arguments. "Writing" can include email, if the company chooses (mine does).
    posted by CrayDrygu at 5:46 PM on April 24, 2006

    Make malware scanners an enforced part of the policy then.
    posted by cellphone at 6:16 PM on April 24, 2006

    bare bones:

    No use of the computer that is not business related.

    No installation of software.

    Nothing is considered private.

    Those three cover almost anything.

    If you leave any wiggle room (such as...."kept to a minimum" in terms of personal use) you'll have to be making subjective decisions when you have to enforce something.
    posted by HuronBob at 6:37 PM on April 24, 2006

    No usage of Internet Explorer
    posted by MonkeySaltedNuts at 6:43 PM on April 24, 2006

    Thanks for the input. This will be very useful as a reference for my boss.

    If the experts at AskMetafilter say it's good enough.....
    posted by Roach at 6:51 PM on April 24, 2006

    "'ll have to be making subjective decisions..."

    Yeah, that has to be done sometimes. Everything isn't black and white. That's why managers have things like employee reviews and written warnings at their disposal. If an employee's use is getting to be excessive, you talk to them about it. If it continues, follow up with a written warning. Then a one-on-one review. And if it continues to be a problem, then there's nothing subjective at all: the user was very clearly notified that their use was falling outside of what was considered "acceptable," and the situation failed to improve.

    This is not in any way different from an employee who spends too much time on the phone chatting with friends, or who spends too much time at the water cooler instead of at their desks. Managers have no problem reprimanding them when it's appropriate.

    And cellphone, rather than repeat it all here, let me link you to an article on security myths in the latest TechNet Magazine from Microsoft. Scroll down to "Myth: Let's Block Bad Stuff" for a wonderfully simple explanation of why malware scanners aren't an appropriate response.
    posted by CrayDrygu at 7:08 PM on April 24, 2006

    If you leave any wiggle room (such as...."kept to a minimum" in terms of personal use) you'll have to be making subjective decisions when you have to enforce something.

    A distinction without a difference. If you ban all personal internet use whatsoever, no exceptions, then almost everyone will break the rules at one point or another. The issue then becomes one of selective enforcement rather than subjective interpretation. Which is, in practice, the same thing.
    posted by Saucy Intruder at 7:18 PM on April 24, 2006

    Mm. I didn't think about that, CrayDrygu. I'm just used to working in small, all-Mac office environments, where such things aren't usually an issue.
    posted by limeonaire at 7:21 PM on April 24, 2006

    limeonaire: I think Macs qualify as some sort of happy Candyland world, so I guess we're OK then :)
    posted by CrayDrygu at 7:23 PM on April 24, 2006

    The bare minimum is simple: "Employees are expected to use good judgment in using company computers." Just like everything else in the office. You don't have a stapler usage policy, but if Bob ran amok with it and started stapling the secretaries, you'd fire his ass for it. You don't have an employee hygiene policy, but if Dave didn't bathe for six weeks, out he goes. The purpose of a policy is simply to make sure there is a meeting of the minds between management's expectations and the staff's actions. There are any number of ways to achieve that meeting of the minds. Legalese isn't really one of them, as your COO apparently knows.
    posted by jellicle at 7:43 PM on April 24, 2006

    jellicle, you've got a good point there. I do think that a mention of the expectation of privacy (none) is worthwhile, though. Some people just don't realize that every site you go to, every file you download, and every email you send can be monitored by your employer, or at the very least logged for later reference.

    The very knowlege of this can reduce the amount of goofing around. I know there's plenty of sites I won't go to at work, even during lunch, just because I don't want the address in the proxy's log files.
    posted by CrayDrygu at 8:24 PM on April 24, 2006

    Installation of software, wallpaper, screen savers, or other downloads onto your Company computer is expressly prohibited, unless the file has been approved in writing by the IT department.

    Limeonaire's original point holds. The way this is phrased is ridiculously needlessly draconian. Did you even read it? "or other downloads" essentially means that an employee has to get written consent every time they check their email or fire up their web browser. Heck, even turning on the computer is probably going pass some handshaking bits back and forth with other hosts in the the network. Oh Noes!! I should have gotten written permission from IT before turning on my computer. Please.
    posted by juv3nal at 8:25 PM on April 24, 2006

    A bit of this depends on whether or how much you're expected to police the employees or just maintain the computers, which would vary from company to company – are you expected to assume a police function or are you just supposed to write a policy and get it out of the way?
    posted by furiousthought at 9:05 PM on April 24, 2006

    I just got a lot of interesting links from googling "computer acceptable use policy template". There's a ton of different ones where you can just swap out "company name" for your company name.
    posted by AmbroseChapel at 9:12 PM on April 24, 2006

    Er, juv3nal, I might be reading CrayDrygu wrong, but the way I interpreted it was that it was installation of 'other downloads', not simply downloading things, that was forbidden.

    That's a policy that makes sense and is far from draconian. Letting secretaries download things is (usually) OK. Letting secretaries install things on your network is never OK.

    What I find wrong with what Huron Bob said is that it makes for an excessively miserable work environment. Keeping non-business-related computer use to a minimum allows the managers wiggle room and lets the truly innocuous (checking during a break) go under the radar.

    Most of my friends use Meebo or Gmail Chat while at work, too, since this removes the need to install anything on their company machines.
    posted by Ryvar at 9:16 PM on April 24, 2006

    juv3nal: Please, yourself. You somehow missed the very first two words, so I'll repeat them in bold italics: "Installation of." The only thing that is "installed" on a computer is software. Email, websites, and authentication packets are data, and are therefore not "installed."

    (This would seem to preclude wallpaper, however many sites distribute it as an executable, so as to have their spyware tag along.)

    But, you know, thank you for putting words in my mouth. I also appreciate your suggestions on how I could have improved the phrasing.
    posted by CrayDrygu at 9:21 PM on April 24, 2006

    my bad.
    posted by juv3nal at 9:29 PM on April 24, 2006

    Apology accepted. And I apologize for being snarky (perhaps overly so) in my reply.
    posted by CrayDrygu at 9:37 PM on April 24, 2006

    I'm trying to wrap my brain around having 400 employees in 8 locations and he's the first full time IT person they've hired...
    posted by jeversol at 10:07 PM on April 24, 2006

    I'm with you, jeversol. I had to stop and shudder for several long seconds.

    We have fairly succinct boilerplate in our employee manual (I'd quote it, but I don't have one, and it probably needs to be rewritten) that boils down to "it's company equipment, buddy, so use it to do your job" and a reminder at login that it's company property and you have no privacy. And the user security permissions keep them from installing anything, which means they can't even accidentally install malware. Nor can they do bad licensing things, inadvertently uninstall Office, and other shenanigans. Pretty much, you'd have to be running your ebay business from your desk or looking at porn to get in firing trouble from an IT angle, and that makes us happy because we don't want to have to care.

    That's not really answering the question you asked, but that's how we keep our legalese to the bare minimum.
    posted by Lyn Never at 6:35 AM on April 25, 2006

    I second the suggestion of banning IE outright.
    posted by rabble at 8:37 AM on April 25, 2006

    If anyone is still reading this....

    Yes, it is amazing to me too that they've never had a full-time guy. They went from 100 employees to 400 employees in less than 2 years. They had (and continue to have) 3rd-party helpdesk support. They were paying these guys $300 per machine each time a workstation was added to the network.

    The company is continuing to grow, and there is definitly not a a shortage of challenges. Their expectations are high but reasonable, and they're giving me the tools.

    I'm actually having a great time. 3 months in, and I still continued to be welcomed like a Messiah when I meet someone for the first time!
    posted by Roach at 10:27 AM on April 26, 2006

    « Older Sanding a Deck: How little can I get away with?   |   The Perfect Hooded Sweatshirt Newer »
    This thread is closed to new comments.