78 What Every Engineer Should Know About Cyber Security
Example Policy
1. Introduction
is acceptable use policy (AUP) for IT Systems is designed to protect <Company X>, our
employees, customers, and other partners from harm caused by the misuse of our IT systems
and our data. Misuse includes both deliberate and inadvertent actions.
e repercussions of misuse of our systems can be severe. Potential damage includes, but is
not limited to, malware infection (e.g., computer viruses), legal and fi nancial penalties for data
leakage, and lost productivity resulting from network downtime.
Everyone who works at <Company X> is responsible for the security of our IT systems and the
data on them. As such, all employees must ensure they adhere to the guidelines in this policy at
all times. Should any employee be unclear on the policy or how it impacts his or her role, he or
she should speak to his or her manager or IT security offi cer.
2. Defi nitions
“Users” are everyone who has access to any of <Company X>’s IT systems. is includes permanent
employees and also temporary employees, contractors, agencies, consultants, suppliers, customers,
and business partners.
“Systems” means all IT equipment that connects to the corporate network or accesses corporate
applications. is includes, but is not limited to, desktop computers, laptops, smartphones,
tablets, printers, data and voice networks, networked devices, software, electronically stored
data, portable data storage devices, third-party networking services, telephone handsets, video
conferencing systems, and all other similar items commonly understood to be covered by this
term.
3. Scope
is is a universal policy that applies to all users and all systems. For some users and/or some
systems, a more specifi c policy exists. In such cases, the more specifi c policy has precedence in
areas where they confl ict, but otherwise both policies apply on all other points.
is policy covers only internal use of <Company X>’s systems and does not cover use of our
products or services by customers or other third parties.
Some aspects of this policy aff ect areas governed by local legislation in certain countries
(e.g.,employee privacy laws). In such cases, the need for local legal compliance has clear prece-
dence over this policy within the bounds of that jurisdiction. In such cases, local teams should
develop and issue users with a clarifi cation of how the policy applies locally.
Staff members at <Company X> who monitor and enforce compliance with this policy are
responsible for ensuring that they remain compliant with relevant local legislation at all times.
4. Use of IT Systems
All data stored on <Company X>’s systems is the property of <Company X>. Users should be
aware that the company cannot guarantee the confi dentiality of information stored on any
<Company X> system except where required to do so by local laws.
<Company X>’s systems exist to support and enable the business. A small amount of
personal use is, in most cases, allowed. However, it must not be in any way detrimental to users’
own or their colleagues’ productivity, nor should it result in any direct costs being borne by
<CompanyX> other than for trivial amounts (e.g., an occasional short telephone call).
FIGURE 4.5
Sophos example IT AUP (http://www.sophos.com).