I had an opportunity this week to be on the receiving end of an acceptable use policy (AUP) – something that I should experience each and every time I work for a new client on their hardware, but something that isn’t often the case and thus is a bit of a novelty to me. It was accompanied by a form that required completion before I would be issued my user ID & laptop, so without further ado, as did my fellow conscripts1, I signed the form and returned it without so much as glancing through the AUP. Now, as a person who has written a dozen or more AUP, I had a pretty good idea of that which was contained within – to whit nothing of any interest what so ever, but I’d just signed over my acceptance of it’s terms and conditions without so much as a backwards glance. And this is the real issue with most policy and procedures, they are written by people who have little desire to educate or even get the user to genuinely accept the restrictions made on their life, but who write policy and procedure to cover their own, and the company’s, arse ( ass – for our American readers ). This is what has been fed down as doctrine from the dawn of time ( look at the 10 Commandments – after “Thou shalt not kill” – “Honour thy father and thy mother” ? Clearly an arse/ass covering exercise if ever I saw one ! ) – but actually this shouldn’t be what our policies should be about.
A policy should be an educational document, something that informs the reader of what they should do, why they should do it and what will happen if they don’t. Anything more than about 2 sides of A4 written in current legalese is going to destroy the minds of 99% of the people who read it – the other 1% probably write policies for a living, and read it as a matter of professional interest ( like I did, eventually, with the one that I was given ! ) Given that often staff have as much understanding of the topics at hand as children do when being told to behave, is it really unsurprising that the effectiveness of policy set like this that dissimilar to handing a six year old a twenty page policy about sweets before bedtime or a teenager a tome regarding drinking, smoking and curfew times ? I’m not suggesting that you should treat your staff like children ( although in some cases you might think that this may not be that bad a suggestion ), but how about a simple document that outlines more simply the things that you actually _care_ about ?2
The other week, the children and I had seen the first episode of Arrow ( Sky 1 in the UK, The CW in the US ) based on the DC comic book character “Green Arrow” – before the second episode, when my other ( better ) half joined us we had a short family competition, judged by Mrs.B – we each had to describe the previous episode to bring her up to speed in as few words as possible. I didn’t win, although I was pleased with my entry – but to summarise a full episode of a program – even one as well scripted as Arrow – in the winning twelve words that my son managed is an achievement. I’m proposing a variation on this game to drop an AUP down to a reasonable length – I’m bound by a confidentiality agreement, so I’m not going to reproduce the particular AUP that I’ve just agreed to, although I will say that it is one of the better ones that I’ve been party to, and is a mere 6 sheets or 12 sides of A4 ( although with copious use of title, back and blank pages, change control and other administrative blurb leaving 8 pages of actual text, however my opinion is that we should be able to drop this to two pages ( in the same font size3 ) without losing a single iota of meaning4. Here’s my stab at it.
Hi. Welcome to Organisation.
We take Information Security and the use of our systems very seriously – to this end, there are a few things that we’d really like you to agree to do when using any of the company computer systems.
Please choose a good password, a mix of letters and numbers, both lower and upper case are good. Remembering a good password can be difficult, but as a help, you might like to try using a consonant vowel consonant sequence to make it pronounceable – bogdotfan – and then add a number – bogdotfan25 and then mix it up with some upper case – bOgDotfAn25. Please do change the password when requested by the system, and do use a completely new one each and every time. Do protect the password – it is part of what identifies you on the system, and, when it is entered any and all action taken when using it will be assumed to be yours.
Do turn your laptop off when you are in transit – the encryption doesn’t work if the device has been left on or in standby.
Please help us to reduce the risk of malware or data loss by using only officially issued, encrypted USB devices in your company laptop or desktop.
Do respect privacy – be it personal, company or client. Do think about the data that you are using, what it should be used for, and who should see it. If you are at any time unsure – do ask – there is no punishment for asking. Do familiarise yourself with any relevant legislation to the data that you are handling, be it the Data Protection Act or the Official Secrets Act – these are Acts of Government and must be complied with.
Do use the computer and informations systems as you require to do your job, please, also, feel free to use them sensibly for personal use during breaks through the day. We ask that you maintain your usage, browsing and e-mail content to remain within the realms of both the inoffensive and the legal – if your Granny wouldn’t approve, neither will we.
Do use all of the software that we have licenses for, if there is something that you need to do your job that we’ve not supplied – do put in a request for it, we want to enable you. Do wait for us to install it though, we want to keep you and us above board and legal. ( This includes OpenSource software too please ).
We have access controls and lock down various parts of the network where there is sensitive data, do request access if you need to get to something that you’re not able to reach.
Do clear your desk at the end of the day or if you are going away from it. Do lock your screen too.
Do let us know if anything goes wrong, you lose anything that shouldn’t have been lost or if you see anything at all untoward – we do monitor things ( including you ) – but the chances are that you would notice things before we do – that quick response could make all the difference.
We really hope that you enjoy working here – there may be specific instructions for systems that you work on, these will be provided to you when you get your access. Other than that, please sign here to acknowledge that you understood and agree to do everything above.
Ok, so that’s 565 words – less than a single A4 page. I get that it could be refined and polished – but then it did only take me 10 minutes to paraphrase the 8 pages that it was before, with some added advice ( around the passwords ) and including, I think, the meaning of pretty much everything else. It’s a little flippant, but I hope that you might take my point on board – nobody is going to read a 40 page AUP, the number of people that will read a 8 page one is limited – 1 page, maybe 2 and you stand a chance – arguing enforceability is a lot harder when it is made really straightforward and easy to understand – and there is no excuse for even the shortest attention span of employee not getting it.
Give readability a chance !
[ Update: I noticed an oversight on this AUP – have a look here for a correction and a bit more besides ! ]
1. Not really conscripts, new hires, fresh meat, what ever you like to call us …
2. I know that there are lawyers out there reading this going round the bend with fear at the lack of arse/ass coverage, but actually consider the possibility that there might be less incidents overall – good news for you as well as for us in Security …
3. That works out to 20 words per line for 40 lines per page, or 800 words.
4. Incidentally, I would recommend that this is an excellent intellectual exercise for any of the documents, reports or, possibly most important of all, your PowerPoint presentations.