Browse Definitions :
Definition

acceptable use policy (AUP)

Paul Kirvan
By

What is an acceptable use policy (AUP)?

An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources. Many businesses and educational institutions require employees or students to sign an AUP before being granted a network ID.

From an information technology (IT) perspective, an AUP states what a user can and cannot do when using computers and computing resources. This applies whether the organization provides the device or it is a personal device that the user provides.

One of the benefits of an AUP is that it spells out acceptable and unacceptable employee behavior and actions. AUPs also provide a company with a legal mechanism to compel compliance, and they describe penalties for noncompliance.

checklist of the benefits of an acceptable use policy
Depending how an acceptable use policy is written, it can help protect an organization in a range of areas.

9 key elements of an acceptable use policy

Internet service providers (ISPs) usually require new customers to sign an AUP. It may be part of a service level agreement (SLA) between the ISP and customer.

The following are nine stipulations that might be included in an ISP's acceptable use policy:

  1. not using the service in violation of any law;
  2. not attempting to disrupt the information security of any computer network -- such as internet use -- or end user;
  3. not posting commercial messages to usenet groups without prior permission;
  4. not sending junk email messages or spam to anyone who doesn't want to receive them;
  5. not attempting to mail bomb a site in order to flood the server;
  6. not attempting to steal intellectual property from the vendor;
  7. requiring users to report any attempt to break into their account;
  8. acknowledging that disciplinary action may be imposed if the AUP is violated; and
  9. noting that the AUP complies with applicable law as applied IT and related issues and may be subject to periodic audits.

A disclaimer is often included in an AUP absolving the organization from responsibility for a data breach, malware or other issue. Statements about when a person is in violation of this policy and when law enforcement might be called in could also be included.

Examples of how AUPs are used

The following are examples of areas where an acceptable use policy could be helpful:

  • Social media. An AUP sets parameters on how employees should use social media sites, often stipulating what should not be discussed about the company and its business.
  • Internet and other system use. Policies usually cover whether an organization's computer systems can be used only for business purposes. They often stipulate whether these resources can be used for personal email or other electronic communications, shopping, playing computer games and gambling.
  • Cybersecurity. An AUP sets rules related to an organization's IT security policies. These include rules around accessing restricted information; changing access data, such as passwords; opening questionable email attachments; using public Wi-Fi services; and using company approved authentication procedures.
  • Non-employee users. Use policies set restrictions on how non-employees can use company information systems and network resources.
  • Accessing private or confidential information. AUPs prevent users from unauthorized access to proprietary or confidential data and unauthorized use of that data.
  • Bring your own device (BYOD). Many organizations allow or require employees to use personal devices for business purposes. However, with BYOD, an AUP is necessary to prevent security issues and misunderstandings about how these devices should be used.

Best practices to ensure AUPs are followed

Signing an acceptable use policy may be required as part of an employment contract. It often happens during the employee onboarding process or as needed with existing employees.

However, employees must be reminded periodically of their responsibility to understand and adhere to the rules spelled out in the AUP. Some best practices that help employees comply with these policies include the following:

  • Work with the company legal department to ensure the AUP addresses issues properly.
  • Have clearly written policies with minimal technical jargon or confusing legal terms.
  • Provide training classes that emphasize the rules included in an AUP.
  • Test employee knowledge, awareness and understanding of an AUP with periodic questionnaires.
  • Ensure that AUP language is periodically reviewed and updated, especially when there is a major change in business operations, such as introducing a new product or a merger, or when an audit is conducted.

BYOD acceptable use policies are becoming common. Find out more about BYOD policy enforcement and creation.

This was last updated in June 2022

Continue Reading About acceptable use policy (AUP)

Networking
  • subnet (subnetwork)

    A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP ...

  • secure access service edge (SASE)

    Secure access service edge (SASE), pronounced sassy, is a cloud architecture model that bundles together network and cloud-native...

  • Transmission Control Protocol (TCP)

    Transmission Control Protocol (TCP) is a standard protocol on the internet that ensures the reliable transmission of data between...

Security
  • cyber attack

    A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ...

  • digital signature

    A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message or...

  • What is security information and event management (SIEM)?

    Security information and event management (SIEM) is an approach to security management that combines security information ...

CIO
  • product development (new product development)

    Product development -- also called new product management -- is a series of steps that includes the conceptualization, design, ...

  • innovation culture

    Innovation culture is the work environment that leaders cultivate to nurture unorthodox thinking and its application.

  • technology addiction

    Technology addiction is an impulse control disorder that involves the obsessive use of mobile devices, the internet or video ...

HRSoftware
  • organizational network analysis (ONA)

    Organizational network analysis (ONA) is a quantitative method for modeling and analyzing how communications, information, ...

  • HireVue

    HireVue is an enterprise video interviewing technology provider of a platform that lets recruiters and hiring managers screen ...

  • Human Resource Certification Institute (HRCI)

    Human Resource Certification Institute (HRCI) is a U.S.-based credentialing organization offering certifications to HR ...

Customer Experience
  • contact center agent (call center agent)

    A contact center agent is a person who handles incoming or outgoing customer communications for an organization.

  • contact center management

    Contact center management is the process of overseeing contact center operations with the goal of providing an outstanding ...

  • digital marketing

    Digital marketing is the promotion and marketing of goods and services to consumers through digital channels and electronic ...

Close