The Acceptable Use Policy (AUP) is arguably the most important of all your policies. Most security breaches have a human element from your own employees; deliberate or accidental.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
The Acceptable Use Policy addresses one of the 24 information security requirements. It also includes employee practices that support several of the other 24 requirements indirectly.
Security for your organisation is like a chain that’s only as effective as the weakest link, which is usually people. The objective of this policy is closest linked with the security awareness training - the policy and training often go hand in hand.
The AUP is a key document to mitigate security risks. It sets out the required security practices, behaviours, and prohibited activities for your employees to protect your sensitive information assets, including your customers data. It’s the organisational rules around your security. This policy should be signed off by your new joiners and ideally annually to support awareness and accountability. It’s complemented by security awareness training that is best to cover general security threats and secure behaviours, as well as organisation specific acceptable use practices like those covered in your AUP.
The Acceptable Use Policy should consider the following areas. Their relevance is organisation specific depending on the nature of your systems, processes and environment.
- Authentication - passwords, multi-factor, the use of password managers, and secure behaviours like not sharing passwords, accounts, or using the same across systems.
- Physical security - preventing tailgating, not sharing access, reporting lost access passes, hours of access, and “clean desk” requirements.
- Device controls - practices to protect company and/or BYOD, mobile, laptop and desktop devices, like automated screen lock, hard disk encryption, and software installation.
- Customer data - restrictions on using customer data like exporting from the system, emailing sensitive contents, and abiding by privacy and confidentiality requirements.
- Secure behaviours - restrictions on accessing websites, unapproved cloud services, downloading attachments or programs from unknown sources, updating operating systems and anti-virus software regularly.
This non-exhaustive list is potentially endless. There are some common terms seen in most AUP’s, but this policy is imperative to have tailored to your organisation. There’s no defined conclusive list of what you should enforce. It’s a risk-based approach balancing the needs of your business with the security risks in your environment.
Across each of these acceptable use practices, there’s generally a way to automatically enforce them, and/or a manual or behaviour-driven approach. For example, you can block software, removable media, data exports, and unapproved devices systematically. Or you can require employees to get approval or only use pre-approved options, without systematic enforcement. In this latter case, your culture and monitoring are important to support compliance with the requirements. This less system-restrictive approach can be more user-friendly and support your organisational agility.
Looking for an example AUP?
Get in touch and we can share one: firstname.lastname@example.org
The CDR Perspective
An acceptable use of technology policy should include the obligations and requirements of personnel when interacting with systems or data within the CDR data environment in regards to security and privacy. These obligations should be agreed to by all personnel interacting with the CDR data environment (such as through an e-signature) and disciplinary action resulting from breach of the policy should be defined and enforced. Where possible, monitoring of compliance to this policy should be implemented, such as through web and email content filtering (see above).
AssuranceLab is a modern cybersecurity audit firm. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.