The Acceptable Use Policy In Sporting Goods
Abstract
An information technology Acceptable Use Policy (AUP) creates an understanding of what is acceptable and not acceptable between users of a system and the system owner. The AUP provides the details of criteria to establish the same rules for everyone. The AUP also serves as documentation, which the user signs, to justify that the user know the rules that they are to follow and the consequences in not following the rules.
This paper attempts to draft a policy for a fictional online retail company named Sporting Goods. The paper will conclude with explaining why areas where chosen in the policy draft along with the ethical and legal effects of the policy draft.
Sporting Needs is a retail business organization that provides sporting apparel …show more content…
and equipment for athletes of all ages. Sporting Needs provides its products for purchase at retail locations and online in supporting their customer’s needs. Sporting Needs consist of approximately 500 personnel. The personnel ranges from the business executives, retail associates, retail managers, IT personnel to keep the company’s website accessible, updated, and secure, and customer service representatives.
As an employee of Sporting Needs, the use of company information technology assets requires an understanding of its use.
Sporting Needs provides policies, known as Acceptable Use Policies (AUPs), outlining the requirements in the use of Sporting Needs information technology asset. The following are the Acceptable Use Policies are the policies representing an agreement between Sporting Needs and its employees in the use of Sporting Needs information technology assets.
Acceptable Use Policy
1. Overview
This policy’s purpose is to provide what is tolerable and intolerable pertaining to the use of electronic devices and network resources with the established culture of trust, integrity, ethical and lawful behavior, and openness expected of the Sporting Needs organization. (Reid, Hilldale, 2006)
Information technology systems, including but not limited to computer equipment, networks, email, social media, and internet use, needed to meet missions, goals, and initiatives are the responsibility of Sporting Needs. The responsibility of Sporting Needs are in the managing, use, and security of its information assets. This policy requires the users of Sporting Needs information technology assets to adhere with company policies to protect the Sporting Needs organization and the users of Sporting Needs information technology assets.
2. …show more content…
Purpose
This policy details the acceptable use of Sporting Needs computer equipment and information technology resources. Improper uses of Sporting Needs computer equipment and information technology resources exposes Sporting Needs to risks that could compromise its network and systems. (SANS Institute, 2014)
3. Scope
All employees (temporary and permanent), consultants, contractors, other workers, and persons, including all persons connected with third parties, using Sporting Needs computer equipment and information technology resources must abide by this policy in accordance to local regulations and laws.
This policy applies to computer equipment and information technology resources used in conducting business owned or leased by Sporting Needs or connected to a Sporting Needs network or system residing at a Sporting Needs site or through the internet. Exceptions to this policy must have advance approval from the Sporting Needs information security teams. (SANS Institute, 2014)
4. Policy
4.1. General Use
4.1.1. As a user of Sporting Needs computer equipment and information technology resources, you are responsible for exercising good judgment in its use in accordance with Sporting Needs standards, guidelines, and policies.
4.1.2. Users are not to use Sporting Needs computer equipment and information technology resources for any illegal or unauthorized purpose. Examples include but not limited to:
4.1.2.1. Distributing and downloading pirated data or software.
4.1.2.2. Transmitting worms, Trojan horses, trap door code, or
viruses
4.1.2.3. Accessing, storing, displaying, or transmitting any sexually explicit or pornographic material
4.1.3. Sporting Needs proprietary information stored on computer equipment leased or owned by Sporting Needs, employees or a third party, remains the exclusive property of Sporting Needs.
4.1.4. Use, sharing, or access to Sporting Needs proprietary information is authorized for its intended purpose and the fulfillment of assigned duties.
4.1.5. Users are responsible to report the loss, theft, or unauthorized release of Sporting Needs proprietary information.
4.1.6. Sporting Needs reserves the right to monitor and audit networks and systems periodically to ensure compliance with this policy.
(SANS Institute, 2014)
4.2. Technical
4.2.1. Users require user ID and password to access Sporting Needs network and systems.
4.2.1.1. Sporting Needs prohibits the sharing of user IDs and passwords.
4.2.2. Only Sporting Needs issued mobile devices are approved to access Sporting Needs Systems and networks.
4.2.3. No security or port scanning allowed unless prior approval from information security team.
4.2.4. Sporting Needs prohibits the use of any of its computing equipment or information technology resources in disruption of any network or system or to illegally penetrate any other network or system.
4.2.5. Sporting Needs data and information will not be stored on anything other than Sporting Needs computing equipment.
4.3. Email
4.3.1. Email use must follow Sporting Needs procedures and policies along with appropriate business practices and applicable laws.
4.3.2. Use of Sporting Needs email account is for Sporting Needs related business. Personal use is limited but marketable use of non-Sporting Needs content is prohibited.
4.3.3. No transmission of offensive content pertaining to discrimination such as color, gender, race, sexual orientation, age, religion, pornography, and disability. Employees receiving such content in email from another Sporting Needs employee should report the incident immediately to their supervisor.
4.3.4. No creating or sending of chain letters, spam, or any content deemed inappropriate according to Sporting Needs policies and applicable laws.
4.3.5. Separate folders are required for personal email and work related email.
4.3.6. Email identified as a Sporting Needs record of business will be retain according to Sporting Needs Data Retention policy.
4.3.7. No use of third-part email systems such as Hotmail, Google, and Yahoo in conducting Sporting Needs business, obligatory transactions, or for storage of email for Sporting Needs.
4.3.8. There is no expectation of privacy in the use of Sporting Needs email system.
4.3.9. Sporting Needs is not obligated to monitor its email system but reserves the right to monitor emails with no prior notification.
(SANS Institute, 2013)
4.4. Social Media
4.4.1. Company Social Media Content
4.4.1.1. Only authorized individuals can post content on any Sporting Needs sponsored social media.
4.4.1.2. Clearly identify yourself and your role in representing Sporting Needs.
4.4.1.3. Present yourself in a professional manner as you representing Sporting Needs.
4.4.1.4. No conducting of business with business partners or customers through social media.
4.4.1.5. No posting of any content deemed workplace inappropriate as outlined in Sporting Needs policies and according to applicable law. Examples include drugs, sex, violence, nudity, and gambling.
4.4.1.6. No disclosure of proprietary or confidential information. Adhere to all privacy and confidentiality procedures and policies of Sporting Needs.
4.4.1.7. Do not mention partners, suppliers, or customers without their written consent.
4.4.2. Personal Social Media Content
4.4.2.1. Personal social media access is to be limited as to not impede work performance or quality.
4.4.2.2. Inappropriate content will not be accessed using Sporting Needs information technology resources.
4.4.2.3. No reference that you are representing Sporting Needs in personal post. No use of Sporting Needs name or content.
4.4.2.4. Use a disclaimer such as “The posting on this site is of my own personal views. “
4.4.3. Social Media Security
4.4.3.1. Passwords for social media are to be totally different from passwords used to access Sporting Needs networks and systems.
4.4.3.2. Do not click on unknown links or download content that is unidentifiable.
4.4.3.3. Exit from any suspicious content and close browser.
4.4.3.4. Configure all social media account settings to encrypted sessions if possible. Important for untrusted networks such as unsecured public Wi-Fi networks.
5. Compliance and Enforcement
5.1. The information security team will ensure compliancy through methods, which include but not limited to, external and internal audits or system and network monitoring.
5.2. Exception to this policy must have approval by the information security team and have the approval in written documentation.
5.3. Any user that is found to be in violation of this policy may be subject disciplinary actions such as, access revocation, suspension, or termination.
5.4. Also if found that any user has violated laws, the information will be turned over to authorities. No expectation of privacy when using Sporting Needs networks or system.
(SANS Institute, 2014)
6. Revision History
Date of Change Responsible Summary of Change
13 July 2015 Sporting Needs Policy Team Policy created
(SANS Institute, 2014)
Ethical and Legal Implications There are some ethical and legal implications to consider in drafting an Acceptable Use Policy (AUP). The creation of an Acceptable Use Policy is outlining what is considered acceptable (good) and unacceptable (bad). An employee will not know what they can or cannot do if there are not told what is acceptable and what is not.
Even though an AUP details what is acceptable and not acceptable, the organization has to ensure compliancy of the policy. The organization will have to implement some type of monitoring and/ or audits. If there is no enforcement then why even have a policy.
Monitoring is easier as most of a worker’s daily tasks involve using the internet and email. What and how much to monitor becomes the issue. Company resources are for company resources but organizations know that their resources are used for non-business issues. To protect itself from the worker’s use of its resources to potentially to do something unacceptable or illegal, organizations monitor its resources. The monitoring could lead to finding someone using the organizations resources for other things that can cause harm either financially or criminally. Monitoring also shows that an organization is doing some due diligence in negating criminal acts or from attempted security breaches of its system. (Yerby, 2013)
Too much monitoring can lead to higher stress, unfair employer use of monitoring and low morale. Too little monitoring can lead to possibility of adverse action that could ruin an organization. There has to be a balance that an organization try to reach.
Monitoring brings up the discussion of a person’s right to privacy. An Acceptable Use Policy will hopefully be in place indicating what is monitored and how much. Monitoring is in the policy draft created above to inform the user the possibility of monitoring to enforce policy compliance. An organization is entitled to ensure the utilizing of its resources for its intended purpose and to ensure that any issues will not hold the organization liable for criminal prosecution or civil suit. How much that an organization is entitled to ensure is debatable. Regulating how and what is monitored is an option. (Yerby, 2013) Creation of an Acceptable Use Policy is stating that all persons that fall under and accepted the policy will be governed the same. The Acceptable Use Policy offers the idea of fairness. This can also help in any legal proceedings as documentation of what was prohibited and what was allowed. Providing new hires with an Acceptable Use Policy will instill in the person what and how they are required to conduct themselves in using the organizations resources. This introduces the new hire to what is expected and the culture that the organization is trying to display and maintain. Updating and requiring resubmittal of an Acceptable Use Policy will keep persons informed on any changes and serve as a refresher on what is required. Creation of the Sporting Needs Acceptable Use Policy is to limit the amount of liability against the organization. Outlining that illegal actions are unacceptable transfers the responsibility of the illegal act to the individual. A person that accepts the policy is accepting responsibility for their actions which protects the organization from direct responsibility of an individual’s actions. Detailing disciplinary actions for violating the policy protects the organization against termination lawsuits. (Tomhave, 2004) An organization can still be liable indirectly for a person’s illegal actions. If the organization doesn’t have mitigating actions or procedures in place to deter or assist in finding the illegal activity, some responsibility can fall on the organization. Specifying actions to enforce the policy such as monitoring and auditing shows that the organization provided over sight for policy compliance that can help in exonerating the organization from indirect responsibility. (Tomhave, 2004)
Policy Analysis
In determining what to put in the Sporting Needs Acceptable Use Policy, ethical and legal implications were primary factors. An Acceptable Use Policy can protect the organization as well as the worker. The policy helps establish culture and professionalism throughout the organization.
Acceptable Use Policy templates were analyzed from different online sources. Combined certain sections and parts to assist in forming the policy draft for Sporting Needs. The primary goal was to create a policy that would help limit the liability of Sporting Needs from any wrongdoing at the hands of individual workers.
An information technology Acceptable Use Policy (AUP) creates an understanding of what is acceptable and not acceptable between users of a system and the system owner. The AUP provides the details of criteria to establish the same rules for everyone. The AUP also serves as documentation, which the user signs, to justify that the user know the rules that they are to follow and the consequences in not following the rules.
This paper attempts to draft a policy for a fictional online retail company named Sporting Goods. The paper will conclude with explaining why areas where chosen in the policy draft along with the ethical and legal effects of the policy draft.
Sporting Needs is a retail business organization that provides sporting apparel …show more content…
and equipment for athletes of all ages. Sporting Needs provides its products for purchase at retail locations and online in supporting their customer’s needs. Sporting Needs consist of approximately 500 personnel. The personnel ranges from the business executives, retail associates, retail managers, IT personnel to keep the company’s website accessible, updated, and secure, and customer service representatives.
As an employee of Sporting Needs, the use of company information technology assets requires an understanding of its use.
Sporting Needs provides policies, known as Acceptable Use Policies (AUPs), outlining the requirements in the use of Sporting Needs information technology asset. The following are the Acceptable Use Policies are the policies representing an agreement between Sporting Needs and its employees in the use of Sporting Needs information technology assets.
Acceptable Use Policy
1. Overview
This policy’s purpose is to provide what is tolerable and intolerable pertaining to the use of electronic devices and network resources with the established culture of trust, integrity, ethical and lawful behavior, and openness expected of the Sporting Needs organization. (Reid, Hilldale, 2006)
Information technology systems, including but not limited to computer equipment, networks, email, social media, and internet use, needed to meet missions, goals, and initiatives are the responsibility of Sporting Needs. The responsibility of Sporting Needs are in the managing, use, and security of its information assets. This policy requires the users of Sporting Needs information technology assets to adhere with company policies to protect the Sporting Needs organization and the users of Sporting Needs information technology assets.
2. …show more content…
Purpose
This policy details the acceptable use of Sporting Needs computer equipment and information technology resources. Improper uses of Sporting Needs computer equipment and information technology resources exposes Sporting Needs to risks that could compromise its network and systems. (SANS Institute, 2014)
3. Scope
All employees (temporary and permanent), consultants, contractors, other workers, and persons, including all persons connected with third parties, using Sporting Needs computer equipment and information technology resources must abide by this policy in accordance to local regulations and laws.
This policy applies to computer equipment and information technology resources used in conducting business owned or leased by Sporting Needs or connected to a Sporting Needs network or system residing at a Sporting Needs site or through the internet. Exceptions to this policy must have advance approval from the Sporting Needs information security teams. (SANS Institute, 2014)
4. Policy
4.1. General Use
4.1.1. As a user of Sporting Needs computer equipment and information technology resources, you are responsible for exercising good judgment in its use in accordance with Sporting Needs standards, guidelines, and policies.
4.1.2. Users are not to use Sporting Needs computer equipment and information technology resources for any illegal or unauthorized purpose. Examples include but not limited to:
4.1.2.1. Distributing and downloading pirated data or software.
4.1.2.2. Transmitting worms, Trojan horses, trap door code, or
viruses
4.1.2.3. Accessing, storing, displaying, or transmitting any sexually explicit or pornographic material
4.1.3. Sporting Needs proprietary information stored on computer equipment leased or owned by Sporting Needs, employees or a third party, remains the exclusive property of Sporting Needs.
4.1.4. Use, sharing, or access to Sporting Needs proprietary information is authorized for its intended purpose and the fulfillment of assigned duties.
4.1.5. Users are responsible to report the loss, theft, or unauthorized release of Sporting Needs proprietary information.
4.1.6. Sporting Needs reserves the right to monitor and audit networks and systems periodically to ensure compliance with this policy.
(SANS Institute, 2014)
4.2. Technical
4.2.1. Users require user ID and password to access Sporting Needs network and systems.
4.2.1.1. Sporting Needs prohibits the sharing of user IDs and passwords.
4.2.2. Only Sporting Needs issued mobile devices are approved to access Sporting Needs Systems and networks.
4.2.3. No security or port scanning allowed unless prior approval from information security team.
4.2.4. Sporting Needs prohibits the use of any of its computing equipment or information technology resources in disruption of any network or system or to illegally penetrate any other network or system.
4.2.5. Sporting Needs data and information will not be stored on anything other than Sporting Needs computing equipment.
4.3. Email
4.3.1. Email use must follow Sporting Needs procedures and policies along with appropriate business practices and applicable laws.
4.3.2. Use of Sporting Needs email account is for Sporting Needs related business. Personal use is limited but marketable use of non-Sporting Needs content is prohibited.
4.3.3. No transmission of offensive content pertaining to discrimination such as color, gender, race, sexual orientation, age, religion, pornography, and disability. Employees receiving such content in email from another Sporting Needs employee should report the incident immediately to their supervisor.
4.3.4. No creating or sending of chain letters, spam, or any content deemed inappropriate according to Sporting Needs policies and applicable laws.
4.3.5. Separate folders are required for personal email and work related email.
4.3.6. Email identified as a Sporting Needs record of business will be retain according to Sporting Needs Data Retention policy.
4.3.7. No use of third-part email systems such as Hotmail, Google, and Yahoo in conducting Sporting Needs business, obligatory transactions, or for storage of email for Sporting Needs.
4.3.8. There is no expectation of privacy in the use of Sporting Needs email system.
4.3.9. Sporting Needs is not obligated to monitor its email system but reserves the right to monitor emails with no prior notification.
(SANS Institute, 2013)
4.4. Social Media
4.4.1. Company Social Media Content
4.4.1.1. Only authorized individuals can post content on any Sporting Needs sponsored social media.
4.4.1.2. Clearly identify yourself and your role in representing Sporting Needs.
4.4.1.3. Present yourself in a professional manner as you representing Sporting Needs.
4.4.1.4. No conducting of business with business partners or customers through social media.
4.4.1.5. No posting of any content deemed workplace inappropriate as outlined in Sporting Needs policies and according to applicable law. Examples include drugs, sex, violence, nudity, and gambling.
4.4.1.6. No disclosure of proprietary or confidential information. Adhere to all privacy and confidentiality procedures and policies of Sporting Needs.
4.4.1.7. Do not mention partners, suppliers, or customers without their written consent.
4.4.2. Personal Social Media Content
4.4.2.1. Personal social media access is to be limited as to not impede work performance or quality.
4.4.2.2. Inappropriate content will not be accessed using Sporting Needs information technology resources.
4.4.2.3. No reference that you are representing Sporting Needs in personal post. No use of Sporting Needs name or content.
4.4.2.4. Use a disclaimer such as “The posting on this site is of my own personal views. “
4.4.3. Social Media Security
4.4.3.1. Passwords for social media are to be totally different from passwords used to access Sporting Needs networks and systems.
4.4.3.2. Do not click on unknown links or download content that is unidentifiable.
4.4.3.3. Exit from any suspicious content and close browser.
4.4.3.4. Configure all social media account settings to encrypted sessions if possible. Important for untrusted networks such as unsecured public Wi-Fi networks.
5. Compliance and Enforcement
5.1. The information security team will ensure compliancy through methods, which include but not limited to, external and internal audits or system and network monitoring.
5.2. Exception to this policy must have approval by the information security team and have the approval in written documentation.
5.3. Any user that is found to be in violation of this policy may be subject disciplinary actions such as, access revocation, suspension, or termination.
5.4. Also if found that any user has violated laws, the information will be turned over to authorities. No expectation of privacy when using Sporting Needs networks or system.
(SANS Institute, 2014)
6. Revision History
Date of Change Responsible Summary of Change
13 July 2015 Sporting Needs Policy Team Policy created
(SANS Institute, 2014)
Ethical and Legal Implications There are some ethical and legal implications to consider in drafting an Acceptable Use Policy (AUP). The creation of an Acceptable Use Policy is outlining what is considered acceptable (good) and unacceptable (bad). An employee will not know what they can or cannot do if there are not told what is acceptable and what is not.
Even though an AUP details what is acceptable and not acceptable, the organization has to ensure compliancy of the policy. The organization will have to implement some type of monitoring and/ or audits. If there is no enforcement then why even have a policy.
Monitoring is easier as most of a worker’s daily tasks involve using the internet and email. What and how much to monitor becomes the issue. Company resources are for company resources but organizations know that their resources are used for non-business issues. To protect itself from the worker’s use of its resources to potentially to do something unacceptable or illegal, organizations monitor its resources. The monitoring could lead to finding someone using the organizations resources for other things that can cause harm either financially or criminally. Monitoring also shows that an organization is doing some due diligence in negating criminal acts or from attempted security breaches of its system. (Yerby, 2013)
Too much monitoring can lead to higher stress, unfair employer use of monitoring and low morale. Too little monitoring can lead to possibility of adverse action that could ruin an organization. There has to be a balance that an organization try to reach.
Monitoring brings up the discussion of a person’s right to privacy. An Acceptable Use Policy will hopefully be in place indicating what is monitored and how much. Monitoring is in the policy draft created above to inform the user the possibility of monitoring to enforce policy compliance. An organization is entitled to ensure the utilizing of its resources for its intended purpose and to ensure that any issues will not hold the organization liable for criminal prosecution or civil suit. How much that an organization is entitled to ensure is debatable. Regulating how and what is monitored is an option. (Yerby, 2013) Creation of an Acceptable Use Policy is stating that all persons that fall under and accepted the policy will be governed the same. The Acceptable Use Policy offers the idea of fairness. This can also help in any legal proceedings as documentation of what was prohibited and what was allowed. Providing new hires with an Acceptable Use Policy will instill in the person what and how they are required to conduct themselves in using the organizations resources. This introduces the new hire to what is expected and the culture that the organization is trying to display and maintain. Updating and requiring resubmittal of an Acceptable Use Policy will keep persons informed on any changes and serve as a refresher on what is required. Creation of the Sporting Needs Acceptable Use Policy is to limit the amount of liability against the organization. Outlining that illegal actions are unacceptable transfers the responsibility of the illegal act to the individual. A person that accepts the policy is accepting responsibility for their actions which protects the organization from direct responsibility of an individual’s actions. Detailing disciplinary actions for violating the policy protects the organization against termination lawsuits. (Tomhave, 2004) An organization can still be liable indirectly for a person’s illegal actions. If the organization doesn’t have mitigating actions or procedures in place to deter or assist in finding the illegal activity, some responsibility can fall on the organization. Specifying actions to enforce the policy such as monitoring and auditing shows that the organization provided over sight for policy compliance that can help in exonerating the organization from indirect responsibility. (Tomhave, 2004)
Policy Analysis
In determining what to put in the Sporting Needs Acceptable Use Policy, ethical and legal implications were primary factors. An Acceptable Use Policy can protect the organization as well as the worker. The policy helps establish culture and professionalism throughout the organization.
Acceptable Use Policy templates were analyzed from different online sources. Combined certain sections and parts to assist in forming the policy draft for Sporting Needs. The primary goal was to create a policy that would help limit the liability of Sporting Needs from any wrongdoing at the hands of individual workers.