31 May Internet usage policy, find out the essential topics
Thus, instead of working on the topic of information security policy, we will bring some items that must be taken into account when creating your document with the guidelines of Internet usage, which is more easily absorbed by small and medium-sized businesses or even large businesses with little security maturity.
The purpose of an Internet usage policyis to define what is allowed and what is not; so that the company can meet essential needs for the employees can perform their duties in a quality environment.
Generally, the document that consolidates the internet usage policystarts with guidelines regarding reading/interpreting the policy. This means making clear what actions will be taken in case of occurrences not covered by the document. In this sense, the company may opt for the implementation of a permissiveor restrictivepolicy. In permissivepolicies, access to the websites is totally free, except for those listed in the policy and/or configured in the security solutionused by the company. In restrictive policies the opposite occurs, all websites have restricted access, except those informed in the policy and/or configured in the company’s security solution.
It is worth mentioning that even in environments with a high degree of freedom of access to the internet and a differentiated organizational culture, it is necessary to construct and disseminate a guide with good practices associated with the use of the Internet, in order to improve the use of the resource in a corporate environment.
During the process of building the Internet usage policy, do not lose sight of the organizational culture, defending the interests of the business, as well as the employees who yearn for a work environment with quality to carry out their activities.
Therefore, we created a checklist with items that should be part of the Internet usage policy, or reference to best practices. You can build your own document and make the necessary adjustments.
To further facilitate, we have also developed an Internet usage policytemplate. With template and checklist, you will undoubtedly build a great document.
Before we start with the checklist, it is important to emphasize the need for engagement among the parties involved, in this case in particular the collaborators. The policy will impact the entire company, so it is not appropriate for it to be handled arbitrarily. In this sense, the idea is to promote a structure of awareness, so that collaborators have greater adherence to the proposed policy.
There are, therefore, 20 topics essential for any document with the purposes quoted throughout this text:
- The document and its updates must be available to everyone at any time within the company, whether on an intranet, or in a shared PDF file;
- It is important to have at least one person as a sponsor of the document and the items therein, always promoting the memories, debates, clarification of doubts among others;
- Build a policy dissemination strategy with a focus on awareness, produce interesting materials and make it available on the intranet, internal mailers, or bulletin boards;
- Call each of the sectors through their leaders to brainstorm about the initiative, so they can collaborate and especially define what is important to the industry;
- Define which are the critical applications for the business, that should be prioritized in relation to the others. Apply prioritization of trafficand other resources to ensure priority operation in case of exhaustion of the internet resource;
- Define in each sector what applications/software and others are needed for the work activities, and create mechanisms to avoid the use of restricted software;
- Define in each sector what websites and content are associated to the work and also those that are not, but that users would like to have its use allowed, full-time or flexible hours;
- Define how it will be the entrance of own equipment for work purposes (BYOD) and what minimum software and similar requirements the collaborator should have; preferably create an agreement and collect signatures for it;
- Define how smartphones and similar devices will be used within the company, what is allowed and what is not, as well as what needs to be avoided;
- Define how external access to the companywill be, and under what circumstances it will be authorized for employees;
- Define the criteria for using the wireless network, either for collaborators or visitors (suppliers, customers), preferably issue a term of use and recommendations not to use internet banking and other private applications;
- Make it clear to collaborators not to use company resources for personal purposes as far as possible, with the possibility of warning or disconnection;
- Make it clear to collaborators that access to internet banking, or other private applications, is entirely their responsibility, and if such information is exposed for any reason causing inconvenience to the employee, the company cannot be held responsible at any time;
- Define best practices in the use and maintenance of equipment such as computers, printers, telephone and others;
- Define the criteria for using corporate email, such as types of information that can be sent, attachments, signature pattern, avoiding to forward mailings as well as use for personal purposes;
- Define how printers and copiers should be used, what printing is tolerated, and for what purposes;
- Check with your safety supplier if anything that has been set as a guideline can be covered in the product, before putting it into operation, and make adjustments or change the supplier if necessary;
- Define who should be responsible for managing changes in policies or guidelines for Internet use and computing resources, assessing impact, risks, as well as ensuring the internal publicity of the change;
- Make it very clear what measures the company has taken in case of breach or violation of any of the guidelines;
- Formalize the document and collect an acceptance form from all collaborators, or create some mechanism to record the agreement.
You may (and should) change items according to your reality. Larger, mature businesses will require numerous other items that do not fit the purpose of this checklist. However, if your company still does not put the aforementioned items into practice, it will undoubtedly be a great start.