A question came up on the ISO27k Forum about an Acceptable Use Policy. I'll take this opportunity to dispense a few Hinson Tips (free, worth every penny!).
AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape.
Some organizations use AUPs formally, stating employees' obligations for legal purposes. Personally, I prefer conventional policies and employment-related contracts, terms and conditions, rulebooks etc. for that purpose. I treat AUPs more as guidelines than policies ... but even so that’s on the premise that a ‘guideline’ CAN and generally SHOULD incorporate obligations defined in various policies, laws and regulations – in other words, despite the name, a guideline includes and revolves around mandatory elements. Its purpose, for me, is to explain those obligations in plain language and thereby encourage people to comply.
Employees shouldn't need to consult a lawyer to figure out what is expected of them. Management should ensure not only that employees are instructed, but they are also helped to understand and fulfill their obligations.
There are various ways to ‘explain and encourage’ employees. A useful approach is to lay out examples covering both acceptable AND unacceptable activities, hence the AUPs in our awareness and training materials look something like this little extract:
The language is reasonably simple and straightforward (avoiding the technobabble and pseudo-legalese that afflicts some of our esteemed colleagues!) and we’re using the obvious green and red color cues plus the ticks and crosses to emphasize do’s and don’ts. We try to have roughly the same number of each, countering the tendency for the whole thing to preach “Thou shalt not …” And separating the reds from the greens gives an otherwise jumbled list a little structure. We’re trying hard to encourage and make it easy for even reluctant, busy, distracted and disinterested readers to read.
For the same reason, we also take the position that ‘less is more’, meaning that our AUPs have less than 500 words each. They are all one-pagers with a two-column layout. That’s quite a challenge for the AUP author [me!] since words are at a premium which means condensing the AUP down to essentials. Aside from careful wordsmithing, it’s worth asking “If someone barely has the time or interest to glance at this, what are the key messages we’d must put across?”. That approach in turn begs questions about what happens to the other stuff that we’re forced to leave out. For us, it’s easy enough because we also provide briefings and seminar slide decks and conventional policy templates etc., a coherent and comprehensive package of goodies and awareness activities supporting the AUP, all covering the same infosec topic ...
... Which brings up another part of our approach: we don’t try to cover everything all at once. We deliberately break things down into a series of distinct topic areas, allowing us to focus and go into a bit more depth on each topic, moving ahead month-by-month to cover the entire field. Consuming the elephant one bite at a time If you think one or more AUPs would be useful in your organization but are unsure about the format, you might like to prepare or compile a variety of AUPs in different styles, giving management the chance to consider the options and choose the best ones or the best bits. As well as AUPs from within the organization, look for examples from other organizations (including ours!) to see the range of styles and formats in use. Once you get management's agreement and generate something that is acceptable to all parties, that becomes the template for others ... ... And that's how we work too. All our security awareness and training materials are prepared from templates, making it easier to adopt and stick to a consistent look-and-feel. The templates pre-set things such as:
- Page/paper size and orientation;
- Language for spell-checking;
- The font, font sizes and colors, both for plain content plus the titles, headings, hyperlinks etc. using 'styles';
- Headers and footers with titles, page numbering and our copyright notice;
- Page layouts e.g. columns, tables;
- Document structure e.g. cover page, main headings;
- Boilerplate text such as sources of further information and contacts at the bottom of almost everything (sometimes customized according to the topic);
- Miscellaneous formatting e.g. line thicknesses and colors, arrowheads;
- Diagrammatic styles e.g. the risk-control spectrum and PIG diagrams you'll see pop up occasionally on this very blog;
- Metadata such as tags to make it easier to search for specific kinds or items of material.
Our full suite of templates has evolved in the course of a decade and is still being tweaked from time to time. In particular we review and where necessary modify the whole lot annually at the start of the calendar year: updating the copyright notices triggers that process. We try to keep a lid on minor changes during the year in order not to introduce noticeable inconsistencies, so the annual template re-vamp is our opportunity to address any little issues and if appropriate adopt more significant changes, sometimes retiring templates that are no longer proving useful.
Another source of change is the creation of new formats or styles of awareness materials, such as the AUP seen above. New items normally take a couple of iterations and adjustments before stabilizing and being templated, becoming part of the set.
Finally, there are other tricks of the trade in researching, writing and polishing awareness and training materials that both are and appear professional. A suite of templates is an excellent start but just as important is the way the templates are used, and of course the quality of the information content. We take pride in our work. We care about spelling and grammar. We consider our audiences, and we learn and improve systematically. We're perfectionists by nature. That's the secret weapon that gives us an edge over the usual rather amateurish and slapdash awareness and training content that is so common out there, the stuff that gives our profession a bad reputation. We must do better, raising our game. We're doing our bit. What about you?