If organizations do not document, communicate, and have personnel agree to acceptable use requirements, personnel may not be limited to what actions they can perform or how they perform them.
Accountability for the improper use of systems or information is difficult to enforce if usage limitations or behavioral restrictions are not provided and acknowledged. Acceptable asset usage is the focus of pitfall #23 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Acceptable use requirements for information systems, along with the information contained therein, should be identified, documented, and implemented. The intent of defining acceptable use is to deter personnel from using your organization’s information assets for unauthorized purposes. Acceptable use requirements should be readily available for all personnel to acknowledge and agree to. Acceptable use requirements should be reviewed at least annually. Any updates made should be communicated. All personnel should be required to read, acknowledge, and re-sign acceptable use requirements annually.
Your organization’s acceptable use requirements should address restrictions on the use of social media, networking sites, posting information on commercial websites, and sharing information system account information. Acceptable use requirements should also require the need for explicit access approval by authorized parties, along with user authentication prior to the use of any technologies belonging to your organization.
System logon banners should be displayed for all users as part of the secure logon process to your organization’s systems. Users should be required to acknowledge the logon banner before continuing with the logon process. At a minimum, logon banners should include:
- The information system, computer technology, and information being accessed is private and owned by the organization.
- Unauthorized access and unauthorized use are prohibited.
- Conditions for accessing the organization’s systems, including implied consent to monitoring, recording of all activities performed, acceptable use requirements, and access limitations.
- Applicable privacy and security notice provisions.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.