A Guide for Drafting Comprehensive and Effective Computer Policies
V3- Updated to deal with today's computer environment
While protecting your organization from outside threats is clearly important, protecting the organization from internal threats is at least as important, if not more so. According to a Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI, 55% of the respondents reported unauthorized access to information by persons inside the organization, compared to just 30% who reported intrusions by outsiders. A quarter reported theft of proprietary information and 69% reported theft of laptop computers. Ninety percent (90%) reported virus contamination and a staggering 97% reported systems abuse by insiders (pornography, pirated software, inappropriate email usage, etc.). According to Sextracker, an organization that tracks the online pornography trade, seventy percent (70%) of online pornography viewing occurs during the 9-5 workday.
Although some companies have instituted rudimentary email usage policies, most have neglected to address all aspects of computers in the workplace and information security. Although the best-crafted policies may not stop an employee bent on violating them, good policies will minimize their opportunities and minimize the organization's liability.
The following sample policies are meant as guides. Where appropriate, sample policies with varying levels of leniency are given. All of the samples contained in this manual are contained on the enclosed diskette in Rich Text Format (RTF). Virtually all word processors can open and edit RTF documents. The samples are contained in a file named "samples.rtf"; you may freely edit them to meet your needs. You may not, however, distribute them in any manner outside of your organization. (Note: providing the samples to an outside attorney who is assisting your organization in the creation of your in-house computer policies is permissible. See the license agreement for more details of permissible uses.)
Rehman Technology Services, Inc. provides consulting services at a nominal fee should you decide that you would like assistance in preparing your policies.
Organizations of all sizes often suffer from the same computer and information security problems, many of which are easy to correct. Individuals trying to gain access to your computer systems and data often exploit these security holes. This guide will discuss these and how proper policies and procedures can plug these holes.
Perhaps the most common threat to organizations comes from viruses, worms, and other hostile programming code. While it may be impossible to completely guard against all such threats, following the policies set forth in this manual will minimize the threat potential. The steps include educating your users to the threats, setting out policies that minimize the infection potential, installing antivirus software, regularly updating the antivirus software, and installing all of the security patches for operating systems, web browsers, email clients, and applications.
Many sample policies refer to the "Information Resources Department" or the "Director of Information Resources." If your company uses another designation for these, simply replace the terms with the appropriate ones. If your company is smaller and does not have such a section of individual, consider designating someone to be the Director of Information Resources; this does not have to be a full-time position and can be in addition to the person's existing duties. Having a single focal point for your information resources will streamline handling computer related issues; users will know who to ask for clarifications to policies and who to report violations to.
Likewise, references to "The Company" should be replaced with your organization's name.
The term "user", instead of "employee", was chosen so that the policies would encompass employees as well as contractors or other non-employees that have access to the organization's computers.
All users should be provided a copy of the computer policies and required to sign a statement that they have received them, read them, understand them, and agree to abide by them. This applies to all existing employees, contractors, temporary workers, etc., as well as all new personnel. A sample acknowledgement statement is included at the end of the policy guide.
Several policies contain notifications to system users that they have no expectation of privacy. While they may appear redundant, they serve to reinforce the absolute lack of privacy. Courts have generally ruled in the favor of employers where policies made it clear that the employee had no expectation of privacy.
The Courts and federal regulators have generally left employers to regulate personal computer, Internet, and email usage as the employer wishes. You should be aware, however, of the National Labor Relations Board (NLRB). The Depression-era National Labor Relations Act protects workers who are communicating about work terms and conditions; this includes union activity, salary, sick time, and vacation time. While in 1988 the NLRB upheld the firing of an employee that sent an email critical of layoffs, where the email was sent at a busy time of the day and disrupted the companies computer system, in 1998 they ordered a company to rehire an employee that was fired for criticizing a leave policy via email.
The difference in the two cases, other than the political time frame, appears to be that the first worker physically disrupted his employer's business. The second employer did not physically disrupt the business, but angered management by criticizing a new policy. The NLRB General Counsel's Office has issued an opinion memorandum stating that an employer cannot ban employee use of email for messages that are federally protected under labor law.
For purposes of policies, employers may wish to consider the federally protected communications as work related, not personal use. If your organization is unionized, you should consult with a knowledgeable attorney before implementing any policies that might affect union employees.
You should thoroughly read all of the policy areas, even ones that you think may not apply. Because all of the topics are inter-related, the discussion of one may provide you with additional insight into another.
Wherever possible, logon banners should be displayed that reiterate key points of the organization's computer policies. The further reinforcement provided by the logon banners should also serve to strengthen the organization's right to inspect email and other computer files should employee litigation occur. A sample logon banner is included in the policy guide.
The days of an employee spending their entire career at a single employer are long past. Workers often leave for a minimal pay increase; in some fields, this is the only way to increase one's salary. With this highly mobile workforce comes a lessened loyalty to employers. It is incumbent upon employers to protect their assets from the plethora of liabilities created by the information age.
A Guide for Drafting Comprehensive and Effective Computer Policies