Acceptable Use Policies and Why Your Company Needs One
What is an Acceptable Use Policy?
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. Acceptable Use Policy documents are written for corporations, businesses, universities, schools, internet service providers, and website owners often to reduce the potential for legal action that may be taken by a user.
Acceptable Use Policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign such a document before they are given access to its information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization.
Does your company have a clearly delineated AUP? Is it enforced? Or, as is the case in all too many instances, once the document issigned by the new hire it disappears into some nebulous black hole that exists in Human Resources, never to be seen or heard from again? Contrary to popular belief these policies exist for a reason and should not be disregarded.
Why should I, or my company, expend any effort on this when resources are already stretched thin?
There are many reasons that pertain to this but I shall only cover a few of the most pertinent examples, some of which have legal ramifications,and some that are costing you money. Let us consider some of these common scenarios that are prevalent at many companies, large and small.
Music files (.mp3, .mp4, WMA, etc…)
First of all, how many of you allow these files to be stored on company equipment? This would include server storage, local storage on PC’sand laptops, tablets, and phones. If your organization follows what seems to be common practice then I would say that the majority of those reading this blog would answer “Yes”…to all of the above. Reasons to allow this are legion, but usually boil down to some form of “it makes my users more productive”.
I can’t, and don’t, actually disagree with this sentiment, but… Are you 100 percent certain that each and every one of these music files are legal copies? U.S. copyright law does, in fact, provide full protection of sound recordings, whether they exist in the form of physical CD’s or digital files. According to the Record ingIndustry Association of America (RIAA) “Regardless of the format at issue, the same basic principal applies: music sound recordings may not be copied or distributed without the permission of the owner. It’s okay to copy music onto an analog cassette, but not for commercial purposes. It’s also okay to copy music onto special Audio CD-R’s, mini-discs, and digital tapes (because royalties have been paid on them) – but, again, not for commercial purposes.Beyond that, there’s no legal “right” to copy the copyrighted music on a CD onto a CD-R. However, burning a copy of CD onto a CD-R, or transferring a copy onto your computer hard drive or your portable music player, won’t usually raise concerns so long as: The copy is made from an authorized original CD that you legitimately own. The copy is just for your personal use. It’s not a personal use – in fact, its illegal – to give away the copy or lend it to others for copying”.
Is dumping these files onto a network share illegal? It depends. There is somewhat of a grey area where this is concerned, and court rulings are a bit hazy as well, but is it really worth the risk? Also, can you be sure that your employee’s aren’t sharing music with each other?
Video files (MPEG, MPEG-2, AVI, etc…)
Many of the same considerations apply to these file formats as to the music files above. There are exceptions of course: home movies, video files that are work related, training videos, etc are acceptable and legal.That being said, the copies of Hollywood movies and Season One of “The Walking Dead” sitting on your server probably are not. Copyright laws also apply to these and it should be noted that you can be held liable for copyright infringement. I will explain this in more detail later on.
Text files (e-books, etc…)
Yes, believe it or not, but that collection of Nook, Kindle,and other electronic books are also covered under Copyright law. In some cases Digital Rights Management (DRM) will solve this problem for you- if the copy protection mechanism prohibits use anywhere other than the device the file was originally down-loaded onto. If not, the same rules apply as they do for music and movies.
So what does this all mean in the grand scheme of things? (And why should I care?)
Beyond the legal considerations there are actually quite a few reasons why this problem should be on your radar. The items I discuss below are just a few of the more obvious ones, and I’m sure given a little time you can come up with even more.
Disk Space- When was the last time you performed a scan of your server disks? Did you break it out by file format?… you might be surprised by what you find. If your company allows users to store media files onto network shares (with no restrictions on disk space) it is possible that anywhere from 30-50 percent of your storage is being eaten up by these types of data. Does that number seem excessive to you? I suggest that you might want to perform this test for yourself. Consider this…the average user music library is right around 10GB (and some are much larger). Multiply this by the number of users on your network. The total number of gigabytes should shock you…it did me the first time I ran into this scenario.
IT Resource usage- How many man hours do your IT people spend each month recovering files that accidentally get deleted or become corrupt? It may not be many, or it could potentially be a regular event that requires restore from back-up (or some other recovery method). Are these requests only made for valid work related files? Or are a fair portion of them because Joe SalesGuy deleted his Abba collection and really, really wants it back?
Back-ups- Don’t consider only the amount of media that is utilized to back-up these files, but also think about how long it takes to perform said back-ups. Are your back-up windows encroaching into Production hours? Are those expensive LTO-5 tapes taking a big bite out of your budget? If the answer to either of these questions is “Yes” you may want to analyze just what it is that you are backing up.
And just to give you more food for thought consider this: Each and every time you back-up one of these media files you are potentially breaking Copyright Laws. Yes, that’s correct, breaking the law. While it is permissible for a given owner of a CD or Movie to make a backup copy of said file for personal use, it is definitely NOT legal for your company to make unauthorized copies of these files each and every time you run your nightly/weekly back-up sets. Sobering thought isn’t it? Permitting your employees to have these files available for “morale” reasons is actually putting you and your company at risk in the legal sense. This puts a different spin on things doesn’t it?
One other item that generally doesn’t fall into the same category as above, but still needs consideration, are personal photo libraries. Depending upon what file format is used, and what resolution the photo is shot at and saved in, you could be looking at a fair amount of disk space. If you combine all of these file types and generate a report on how much total disk space is being utilized by them you might find yourself grumbling under your breath and attempting to devise a plan to mitigate the problem.
And this brings us back to where this whole blog began…Acceptable Use Policies are designed for just such scenarios as I posit in this document. If the policy is clearly defined (and enforced), then this becomes a non-issue. The problem is that in most cases enforcement is random and/or non-existent.A good AUP will protect you and your company, while at the same time defining what your employees can, and cannot expect to do with company equipment.
If music is deemed necessary for the health and well-being of staff then there are a few options you can suggest or implement. MP3 players, iPod’s, and radios resolve the issue without putting you or your business at risk. Streaming music services such as Pandora are also an option,but come at a steep cost in bandwidth on the LAN/WAN.
The big question is what can you do about this, and how do you prevent it from happening? Let’s face it, this will require a culture change on a grand scale for most organizations, and without the support of senior management will get ugly fast. The first step is to inventory your systems and see if the problem even exists. If it does, how big is the problem? A definite policy regarding these files and their usage needs to be clearly thought out and communicated to the entire user community. This communication should include a time-line, and clearly state what will happen to said files at the end of this period (i.e. deletion, removal from back-ups, etc…), and last there should be regular audits performed. You can also configure your servers to not allow these file types to be copied or stored onto network shares.
There is no “one size fits all” solution that will work for everyone. You need to look at your organization and make decisions that are a good fit, but you absolutely need to have a solid Acceptable Use Policy in place that you can build the frame-work around. I hope that any reader of this blog will come away with a better understanding of why these policies exist, and also how not enforcing them can impact your business.