Security is only as effective as the weakest link in the chain. The Acceptable Use Policy strengthens those links across the organisation.
Security relies on a broad, holistic, good practices with multiple layers of protection. In addition to protecting the system and physical security, it also needs to account for the behaviours of employees and other users of the systems and data. That’s where the Acceptable Use Policy (AUP) comes in!
Even the best security practices, cannot prevent everyone from having access to the systems and data. There needs to be system administrators, services teams and in most cases, live users accessing the systems and data. If any of those with direct or indirect access to the systems and data don’t perform appropriate, secure behaviours, it gives rise to vulnerabilities and security risks. Cybersecurity firms report that the leading causes of security breach are from internal employees rather than external “hackers”.
Basic security awareness and good-practice behaviours are universal and can form the skeleton of the AUP. However, it should also consider the specifics of the company. Whether BYO device is supported, the nature of remote working practices, how the system operates, the roles and responsibilities that support the system, etc. These company-specific elements give rise to varied important and types of acceptable behaviours that should be considered in the AUP.
The AUP document itself is a set of "rules" that govern employees behaviours. It may include hard requirements as well as guidelines. It's important to ensure there is accountability around the AUP; common practice is to have all employees sign it upon commencement of a role with the company. It may also be re-confirmed annually. It should be supported by some form of monitoring that can identify and take action where employees breach the key requirements of the AUP.
There's various free and paid templates available online. Some of the basic elements, as examples, to consider are:
Authentication: min. password requirements, multi-factor authentication, restricted use of account sharing, authentication tools used;
User devices: Security requirements like AV, regular OS & AV updates, restrictions on software installation, use of removable media, VPN, internet browsing restrictions, limited use of devices;
Confidential information: Classification and handling practices, printing, taking documents off-site, exporting from the system, emailing of customer data;
Physical security: Tailgating, ensuring doors are closed, the sharing of access cards, notifying management of suspicious activity, visitor access and logging;
The AUP commonly overlaps with the Code of Conduct and may be incorporated into a single document.
The SOC 2 Perspective
The acceptable use policy is often only represented in one or two of the criteria of SOC 2 reports (below), but provides the foundation that covers many more. It's one of the few control practices that is a "must-have" to achieve SOC 2 compliance.
COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Common Criteria 6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
AssuranceLab's Best Practices Series
AssuranceLab's best practices series, is about highlighting the "real operational benefits" that comes from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 2 and ISO 27001.