Acceptable Use Policy

How to Create an IT Acceptable Use Policy + Templates

Creating an acceptable use policy for your information system is a good way of informing users of your security policies and limiting legal risks.
Join our newsletter:
An acceptable use policy outlines what users can and can not do on your systems. For example it may allow use of your system for business purposes only. It may also require users to abide by your policies and procedures when using your systems. An acceptable use policy also lists some of the expectations your organization has of its system users. Expectations for users include following password best practices and not conducting illegal activity on your system.

What makes a good acceptable use policy?

An acceptable use policy must have a clearly defined scope specifying which systems it applies to. It should state who the data stored on your company systems belongs to (generally anything stored on a company system becomes the company’s data). It should state the conditions under which a user can use the system. For example a user may only use the system to carry out his/her assigned job duties. It should state that your company has the right to monitor all activity on the system without the user’s consent. It should cover unacceptable use. Examples include prohibiting the use of company systems for hacking or anything else not in your company’s interests. You can also include clauses on the authorized use of email and social media.
Your acceptable use policy should be short and easy to understand. If it is too long no one will read it. Receive senior managements approval of your acceptable use policy.

Require Users to Sign or Accept you Acceptable Use Policy

What good is an acceptable use policy if no one knows about it or has accepted it? Require every employee or contractor to read and sign the acceptable use policy. This makes them liable for illegal or unauthorized activity they conduct on your systems. It also gives them a sense of responsibility and an idea of your expectations.
You can also have users accept your acceptable use policy before logging into their computers. This can be achieved via group policy. You can also put your accepabtle use policy on your servers and other network devices so that admins are also warned before logging in.

Acceptable Use Policy Examples

Brown University's Acceptable Use Policy
University of Bath Acceptable Use Policy

Acceptable Use Policy Templates

SANS Acceptable Use Policy Template
Get Safe Online Acceptable Use Policy Template

Summary:

-An acceptable use policy notifies users of authorized and unauthorized use of your information system.
-An acceptable use policy protects your company from legal risks.
-An acceptable use policy gives users a sense of responsibility when using your systems.
-An acceptable use policy should be easy to understand.
-Require all employees and contactor sign your acceptable use policy.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Learn More
HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
Learn More
FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
Learn More
ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
Learn More