Usage Policy- Are you Getting it Right?

There is a dichotomy here between compliance and understanding.  I.e. are you simply laying down the law, or are you also intending to provide your staff with guidance on how they should act?   

When drafting a usage policy it is important to remember this, and decide what your priority is.  If you are using it for both, then I would argue that simply publishing the policy and getting staff to indicate that they have read it isn’t enough; it will be treated like a EULA – agreed to but never read. 

Ultimately, every organisation must make their own decisions with respect to IT policy, so banning staff from using social networking sites, for example, may be appropriate.  Certainly, I have been with companies in the past who impose a total ban on internet access through company hardware.  However this is increasingly impractical with the current trend toward BYOD.  If you are allowing access to your network with these devices then usage policies become increasingly important, particularly if one of those devices happens to have been jailbroken.

This latter point does highlight the ironic fact that often these usage policies are written and forgotten about, despite the fact that they apply to the fastest moving technological and social trends. 

In security terms, every unauthorised or non-work related interaction that your employees have on the web is another potential attack vector.  Therefore, returning to the beginning, I believe a good usage policy should be a foundation on which to build effective user training.  The document itself should be accessible; it should be clearly written, avoiding as much jargon as possible. Ideally it should have a bullet pointed executive summary which distills the points you are most keen to establish.  However it should be backed up with suitable training. 

Consider this recent article in the Washington Post:  If your staff fall prey to a mock phishing attack that redirects them to your IT policy, they’re a lot more likely to remember it. 

It stands to reason:  If employees understand why you have a policy in the first place, and the potential problems in ignoring it, then they will be more likely to follow it.  You can inculcate the policy into the culture of your organisation in this way, hopefully reducing the times you have to raise the failure to comply with the policy in a disciplinary interview.  By then, the damage is already done.