Upload
aubrey-marjorie-warren
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Acceptable-Use Policies:Acceptable-Use Policies:Human DefensesHuman Defenses
Michael Swart, Steven, Daniel Connor
Acceptable-use policy as a security and legal necessity.
Balancing safety with piracy concerns.User accountability and responsibilities.Corporate accountability and
responsibilities.Characteristics of an effective AUP.
Learning Objectives
What is an AUP?What is an AUP?
An Acceptable Use Policy is a company policy that defines (or should define) acceptable and unacceptable use of all components of the company’s information, computer networks, and communication systems.
clearly specify the company’s standards for onsite access and remote access to corporate networks and secure use of company usernames, passwords, and computer accounts.
An AUP should…An AUP should…
IntroductionIntroduction
An AUP helps the organization fulfill its “duty of care” to provide employees with a non-hostile working environment.
In general, a duty of care simply means that a company or person can’t create unreasonable risk of harm to others.
A non-hostile environment is one where employees are free from actions that are offensive…– Morally– Ethnically– Racially – Religiously
Why do we need AUPs?Why do we need AUPs?
Illustrated by 2 court cases:– California DMV vs Allstate Insurance– MCI Worldcom vs two employees
Allstate Insurance Co Employees Allstate Insurance Co Employees Illegally Access Confidential Illegally Access Confidential
InformationInformationIn February 2003, the California DMV cut
off Allstate’s access to digital driving records.
A customer’s confidential address had been released which resulted in a written threat.
Investigations found 131 violations of confidentiality rules.
Lawsuits PendingLawsuits Pending
The DMV director said he would ask the state attorney general’s office to seek fines against Allstate.
A civil lawsuit would be filed outlining the specific instances of improper behavior.
Accessing DMV information under false pretenses carries up to a $100,000 fine for each violation.
MCI Worldcom’s AUP Leads MCI Worldcom’s AUP Leads to early Dismissal of Lawsuitto early Dismissal of Lawsuit
Lawsuit was created by two employees that had received four emails of racial jokes.
They claimed that the company had been negligent by allowing the corporate email system to be used for harassment.
Also that the defendant retaliated against them for using the jokes in the suit.
OutcomeOutcome
The court dismissed the plaintiff's claim of negligence against MCIWorldcom.
Three reasons:– Had an established email acceptable-use policy
that expressly prohibited discriminatory email.– Had acted consistently in enforcing the policy
against the employee who sent email.– Took remedial action to enforce its written
email policy.
The Discipline and Diligence The Discipline and Diligence Defense TierDefense Tier
Inform employees of their responsibility and rules within the company.
Rarely are these policies are updatedHuge investments are taking place but are
ineffective unless commitment is made from the employees.
Discipline and Diligence break old habits with training, reminders, and enforcement.
Dual Functions of the AUPDual Functions of the AUP
(1) Prevent misuses from occurring.– Help prevent security breaches by
Informing employees of what they can and cannot do.
Clarify expectations about personal use of company equipment, privacy, and user responsibilty.
Warning employees of monitoring. Outline the consequences of non compliance.
Employee abuse increasesEmployee abuse increases
Employees are more likely to abuse privileges when acceptable use has not been clearly outlined and enforced.
According to the courts, if a company does not take action to prevent a hostile work environment, then it is guilty of promoting it.
According to surveys by the ePolicy Institute, the AMA, and US News and World Report, 63 percent of US companies monitor employee internet activities.
Employees’ email and Internet records are being used against companies during the discovery process of lawsuits thus prevention is more critical.
Dual Functions (cont)Dual Functions (cont)
(2) Legal Protection– A uniformly enforced AUP is supporting
evidence that the organization exercised its legal duty to safeguard employees.
– Companies have learned that email policy is useless in court.
– There are two legal doctrines relevant to employer liability.
Legal Theories and Employer Legal Theories and Employer Liability IssuesLiability Issues
Respondeat Superior Doctrine and Liability.Negligent Supervision and Duty of Care.
Respondeat Superior and Respondeat Superior and LiabilityLiability
Respondeat Superior- a doctrine that holds employers liable for misconduct of their employees that occurs within the scope of their employment.
Scope of their employment- conduct that occurs substantially within the authorized time and space limits of the job.
Continue: Respondeat Continue: Respondeat Superior and LiabilitySuperior and Liability
On November 23, 2001 the U.S and 29 other countries signed the Convention on Cybercrime.
Seeks to ensure that when a company fails to supervise employees and when a computer crime is committed the company's held liable with it knowing, consent, or approval of that crime.
Negligent Supervision and Negligent Supervision and Duty of CareDuty of Care
Employer is also liable for the damages that result from negligent supervision of employees.
This may extend to actions outside the scope of employment.
Under the doctrine of duty of care, directors, and officers have a fiduciary obligation to use reasonable care to protect their company's business operation.
Continue: Negligent Continue: Negligent Supervision and Duty of CareSupervision and Duty of Care
Business can no longer rely on force majeure (“force of nature” or beyond human control”) to prevent hackers because these attacks have happened enough to become forseeable.
In the case of a security breach the the corporate officers and directors can have a lawsuit filed claiming they did not ensure adequate protection.
Characteristics of Effective Characteristics of Effective AUP’sAUP’s
Comprehensive Scope- must apply to everyone working and to all devices such as desktops, laptops, cell phones.
Clear Language- must be concise and explain all unique aspects of the firm or business.
Adaptive Content- must be able to have constant revision due to new technology.
Continue: CharacteristicsContinue: Characteristics
Extension to Other Company Policies- protects the intellectual property and prohibition of harassment in physical and virtual environment.– Virtual environment- where business is being
conducted outside of the firm.Enforcement Provisions-must be
maintained and enforced consistently or could be seen as discrimination.
Continue: CharacteristicsContinue: Characteristics
Consent- Acceptance and adoption of AUP should not be passive.– Require signed agreement.– Implied consent- usually on computers or machines that
states using the equipments means you agree to all the rules and regulations.
Accountability-constant researching cases to ensure the environment of workers is safe for them and other around them and that they are all treated equally.
AUP TemplateAUP Template
Chapter 6 provides an Acceptable Use Policy Template that can be used to review a current AUP or form a basis for a new AUP.
Changing technology and legislation mean that AUPs can become outdated quickly and require at least an annual review.
Template (cont)Template (cont)
There is no one perfect template for an Acceptable Use Policy.
To compose a relevant and feasible AUP, managers must assess:– IT resources– Infrastructure– Culture– Business needs
Template Policy Key ObjectivesTemplate Policy Key Objectives
Protect company against computer crime, viruses, hackers, cyber pranks.
Maintain a non-hostile workplace.Prevent sexual, racial, discrimination,
copyright infringement, and software piracy.
Maintain a productive workplace use of company IT resources.
Provisions and ProhibitionsProvisions and Prohibitions
Users are not allowed to:– Forward or save email chains.– Email use for discussion forms.– Use for personal gain.– Dishonor copyright laws.
Users should:– Check email daily.– Scan all new files being opened.– All files sent or received are company files and not to be
printed/or leave firms physical environment.– Only let authorized users use certain IT resources.
ComplianceCompliance
The company may choose to monitor or review all use of its IT resources, including but not limited to:– Email sent and received.– Internet usage.– Computer files, documents, and faxes created , stored,
deleted, or distributed.– Any files that contain images, text, video, or audio for
content-installed software for licensing. All computer activities create audit trails! No user can view another persons email with out
permission.
Compliance ContinuedCompliance Continued
Users are to report any violation of the AUP to (specific persons, titles).
All users assume full liability of IT resources. Users release the company from any and all
liabilities or claims releasing to the company’s IT resources.
The policy may be amended or revised as necessary by the company.
SummarySummary
Employers who have an effective, well-publicized AUP that is enforced with proper monitoring and violation procedures have a better chance of escaping liability and damages resulting from employee abuse.
Those who do not are risking liability because employers have the burden of proving an affirmative defense in court.