Network Perimeter Security: Building Defense In-Depth

Not every security control is technical in nature. The acceptable use policy (AUP) is a portion of the information security document that clearly describes to network users the boundary between acceptable and unacceptable usage of network resources for your company.

A quick search of the Internet will provide any number of sample acceptable use policies for your perusal; but like the security policy, in the end it is important that the AUP specifically address your network environment. Copying and pasting an AUP from another organization will only cause confusion and headaches for the IS team when users begin to either do their job and find that their normal job functions are somehow in violation of the AUP or challenge the AUP in some manner.

The primary objective of the AUP is to support the goals set out in the information security document. Although you should welcome input in the creation of the AUP, the document should not contradict or otherwise come into conflict with the goals of the information security policy. At the same time, users should know that the AUP is not to simply take the fun out of their jobs, but to ensure that the information security policy, which supports the objectives of the business, is upheld.

Every AUP is going to be different, but successful AUPs share a lot of common characteristics, including:

• They involve as many people as possible. This means that department managers as well as end users of the network are able to provide input into the content of the AUP.

• The policy is unambiguous. It is simply going to amaze you how Matt down in technical support, who cannot seem to finish any project in less than four days, is able to point out every inconsistency and ambiguity in the AUP. The rules should be well-defined and concise, with the penalties for noncompliance clearly stated.

• Address data privacy and user's rights, along with a process for settling grievances and requesting changes.

With that in mind, what follows are some suggestions for items to consider when creating an AUP. Some of these items are fairly cut and dry; but when appropriate, flexibility and compromises are also discussed.

• Are users allowed to conduct personal businesses using company resources? Generally, the answer to this is "no." It is difficult to keep the users' business requirements from interfering with those of their employer. This also means that users may not set up unauthorized services on the network such as Web servers, file servers, etc. It may also include accessing e-mail from another account and using company network resources to send and retrieve it.

• Is there any time that a user can use information resources for personal use and, if so, when or where can they do this? What restrictions are placed on them? Remember that even if users are staying late at night to use the network or respond to e-mails, their use of the company resources will reflect on your company. Is it OK for them to send personal e-mail but not surf the Web, or vice versa?

• Users must comply with the appropriate laws and policies regarding harassment, libel, copyright infringement, etc. at all times. Be sure to explain what these are in the AUP for those users who may be unclear.

• Closely related to the above rules is policy regarding sexual or pornographic images or other material from being retrieved, stored, viewed, or forwarded by the users of the system. Many organizations expand that to include chain letters, jokes, etc.

• Users must not install any type of unauthorized software on their PCs. Such software might include games, personal programs, distributed computing clients, peer-to-peer file sharing programs, etc. The environment that runs only those applications necessary to the success of the business will be the most secure environment.

• Users must obey all copyright laws while using network resources. This means they cannot store their MP3s on the company hosts.

• Users will make no effort to eavesdrop, sniff, or otherwise monitor the communications of other staff members. This usually also includes the installation of sniffing software on their computers, impersonating another user, and attempting to circumvent established information security procedures.

These are just the tip of the iceberg, but they should give a good idea of the types of topics that an AUP should address. Some AUPs simply lay out these rules while others attempt to organize them according to task or network usage such as "Email AUP," "Web Use AUP," etc. in an attempt to make the rules as specific as possible. Again, this decision will be based on your operating environment and user needs.