It is important to set clear expectations for what’s acceptable behavior for those using an organization’s technology assets. An AUP defines the intended uses of computers and networks, including unacceptable uses and the consequences for violation of policy. An AUP also prohibits accessing or storing offensive content. The following topics are typically found in an AUP:

• Basics of protecting an organization’s computers and network
• Managing passwords
• Managing software licenses
• Managing intellectual property
• Email etiquette
• Level of privacy an individual should expect when using an organization’s computer or network
• Noncompliance consequences

A good AUP should also be accompanied by awareness training. This training should address realistic scenarios an individual might face. The following situations are a few examples of what might show up in AUP awareness training:

• A coworker asks you to log on to the network or an application because he or she is waiting for access to be approved. What should you do?
• You receive a politically sensitive joke via email. Should you forward the email?
• The person next to you spends many hours a day surfing the Internet for stock tips. What should you do?