8e6Security.com is a M86 Security Platinum Partner

Acceptable Use Policy and Compliance


Rules? What Rules?

Popular social theory states that without rules—in an absence of order—there is chaos, lack of direction, systematic breakdowns and generally destructive activity. That's a pretty good description of what the Internet would look like, and consequently, the networks attached to the Internet, if there weren't established norms of protocol, regulation and "digital behavior;" rules, if you will.

Typically, those rules are very focused and explicit at the organizational level, and tend to become less stringent outside the organization. But they exist everywhere. On the Internet, Web and email protocols are well established—ignored at the risk of being shut out of the Internet community. In fact, many security measures are designed to detect communications that ignore protocol—the most obvious indication that someone isn't playing by the rules. Internally, organizational expectations, in the form of an acceptable use policy (AUP) are communicated and (hopefully) enforced; a sort of "if you use our network, you do things our way" document. Of course, without a means to enforce the rules, they don't mean much.

In addition to organizational and global network use policies, there are industry-specific and general compliance mandates and legislation. In order to protect privacy and control access to sensitive information, strict standards have been adopted for Web and email communications. These laws often require the implementation of information management tools.

M86 Security helps organizations enforce Web and email rules, mandates and compliance requirements—in addition to providing gateway security, increased productivity, decreased reduced legal liability, and managed network bandwidth.

Acceptable Use Policy

Defining a clear policy is the first step to security. Acceptable Use Policies (AUP), also known as Internet Access Policies (IAPs), stress organizational expectations of Internet usage. By setting guidelines, companies emphasize that Internet access at work is a privilege, rather than a presumptive right. AUPs help to manage Internet access by informing users of their responsibilities and rights regarding company network resources, including issues surrounding email, Internet and removable media. Adherence to the AUP can increase productivity, reduce bandwidth consumption, and lower the chances of legal liability. Technology is strongly recommended to help monitor and enforce adherence to the AUP.

Components of an Acceptable Use Policy

Consider addressing the following issues when developing an Acceptable Use Policy. The list below is not intended to be exhaustive, but includes suggestions that might help you when addressing areas relevant to email, Internet and removable media usage:

Acceptable Use

Email and Web access are organizational tools provided for business, research or educational use. Users should not have an expectation of privacy in anything they create, store, send or receive on their computer.

The use of removable storage devices in the workplace - whether owned by the company or the user - needs clarification.

The adoption of an Acceptable Use Policy will be much smoother if users are educated on acceptable use.

Unacceptable Use

Common examples of prohibited use include transmitting, storing or receiving communications that are discriminatory, harassing, obscene or X-rated, abusive, profane or otherwise illegal. There should be clear repercussions for unacceptable use, such as disciplinary action. There should also be clear procedures for how unacceptable use will be handled when it is detected.

Personal Use

Many organizations find that when they allow limited personal use of the Internet and email, staffs are more productive than if personal use is completely prohibited. This may also apply to personal, portable media devices such as USB sticks and MP3 players.

Another critical factor related to personal use is consistency with regards to enforcement and setting precedents. It can be very detrimental to suddenly ban users from certain types of personal use when that use has been acceptable in the past.

Confidential Information

Proprietary information should not be divulged improperly. Highly confidential information, such as company trade secrets, new product plans and sensitive customer or user information should not be sent out via email or the Internet without encryption. Such information shouldn't be copied onto removable storage media. Specific protocols noted in he AUP might be part of industry regulations or legislation.

Responsibility

Users should be informed that they could be held responsible for the content of all communications they store or send using email or the Internet. All email should be identified with a name or email address; users should not attempt to hide their identity or place someone else's identity in organization communications (spoofing).

Copyright

Employees should also be informed about copyright issues relating to electronic copies of documents obtained via email or the Internet, and copyrighted materials that are copied onto removable media.

Monitoring and Enforcement

If a company plans to monitor or otherwise enforce the Acceptable Use Policy, this should be clearly stated in the policy. It should also state that all communications sent or received via email and/or the Internet are the property of the company, which reserves the right to monitor all messages/files on the company's network. The policy should also state that it reserves the right to monitor all company documents that are copied onto removable media and enforce the AUP accordingly.

Benefits of Education

Informing and educating users about the Acceptable Use Policy provides a number of benefits.

Enforcing Acceptable Use Policies

Trying to implement an AUP without enforcement is like passing laws without a police force. There will always be a small minority of employees that will create problems if there is no means of enforcement.

There are many technology options available to support Acceptable Use Policies and these should be augmented with communication, education and follow-up from management. M86 Security content security and endpoint security solutions can play an important part in monitoring and enforcing compliance in support of the Acceptable Use Policy.

Compliance, Regulation and the Law

Regulatory compliance and legal obligations are now key motivators for securing and protecting confidential information.

Web and email monitoring and reporting can help companies prove they're in compliance with regulations or reveal problems that can be rectified before auditors discover them—avoiding fines, loss of contracts, damage to reputation, and even a drop in stock prices.

A well-known example is the US HIPAA legislation (the Health Insurance Portability and Accountability Act). One of the main aims of HIPAA is to address the security and privacy of health data. This places significant obligations on the healthcare industry to ensure the privacy of patient information; without reporting and monitoring technology, the task is nearly impossible.

The Sarbanes-Oxley Act (SOX) requires all financial systems and related reporting systems to be locked down to prevent insider information from being illegally shared. Web mail, IM exchanges, and FTP activity all qualify as reporting systems. Organizations that want to ensure compliance are smart to employ Web and email reporting tools that can track all user activity.

SOX also imposes blackout periods when companies are being sold or large blocks of stock are being offered to the market. Sharing insider information during these periods is a violation of Securities and Exchange Commission regulations. Unfortunately, if only one individual breaks the rules, the entire company suffers. Here again, effective Web and email security make it possible to spot these transactions, shut them down immediately, and deal with the problem.

Examples of Well-Known Compliance Mandates:

Education

Children's Internet Protection Act (CIPA)

CIPA requires schools and libraries receiving federal E-Rate funding to limit children's access to the Internet, in an attempt to prevent online access to pictures, Web sites and email content that are obscene, contain child pornography, or are harmful to minors. Schools and libraries must certify that they have the appropriate filtering technology in place in order to receive discounts on computers and Internet access from the government.

M86 Security offers schools and libraries total CIPA compliant Web and email filtering, monitoring and reporting solutions.

Financial Institutions

Gramm-Leach-Bliley Act (GLBA)

GLBA, also known as the Financial Services Modernization Act of 1999, includes provisions to protect consumers' personal financial information held by financial institutions. In addition, the GLBA protects consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting." This law applies to financial institutions such as banks, securities firms, and insurance companies as well as companies providing financial products or services to consumers.

Sarbanes-Oxley Act (SOX)

SOX's stated purpose is "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes." Written specifically to address the issues that cropped up during the Enron, WorldCom, and Arthur Anderson fiascos, SOX makes corporations accountable to customers by aiming to prevent corporate mismanagement. Since only 37 percent of companies reported that they have a security strategy in place despite widespread phishing scams, corporate espionage, and identity theft, SOX is crucial in maintaining corporate and customer security (State of Information Security 2005).

M86 Security helps financial institutions comply with GLBA and SOX by limiting user access to non-public corporate and customer data, as well as, monitoring/preventing the access and distribution of that data.

Healthcare

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requires that all patient health insurance (PHI) data transmitted over the Internet be encrypted and secured. It sets out detailed regulations on the confidentiality of patient records and keeping them safe from unauthorized use or viewing. HIPAA affects virtually all health care providers, health plans, public health authorities, life insurers, information system vendors, various health service organizations, and schools.

Specific security requirements set out in HIPAA include:

  • Ensuring the confidentiality, integrity, and availability of all PHI the covered entity creates, receives, maintains, or transmits
  • Protecting against reasonably anticipated threats to PHI
  • Protecting against uses or disclosures of PHI

M86 Security's Web and email filtering and reporting technology helps healthcare organizations limit user access to sensitive customer data and helps prevent costly threats such as phishing and spyware from infiltrating a company's network.

Business Enterprise

California SB 1386

The California SB 1386 requires an agency, person or business that conducts business in California and owns or licenses computerized "personal information" to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed). The law stipulates that if there is a security breach of a database containing personal data, or even a suspected breach, the responsible organization must notify each individual for whom it maintained information.

This law pertains to:

  • State agencies, individuals or businesses that conduct business with California residents, regardless of their location, even if they only handle the data of one resident of California
  • Organizations who have employees based in California or who provide outsourcing services for those employees in California

Data Protection Act 1998 (Retention and Privacy)

The U.K. Data Protection Act of 1998 specifies that personal information held electronically must be secured, only transferred appropriately, and kept for limited times. The details of an organization's obligations will depend on its jurisdiction.

M86 Security solutions can address many of the requirements for modern legal compliance - namely retention of records, security of private information and monitoring of communications for compliance with laws and regulations. Our Web and email filtering, monitoring and reporting solutions help manage access to, and distribution of, sensitive content, and protect networks from costly access threats such as adware, spyware, and malware, which put sensitive content at risk.