Acceptable Use Policy (AUP)

A specific type of policy that describes what is and isn't allowed when using the organization's IT resources (like computers, internet, email, and mobile devices). It sets expectations for employees to use company assets responsibly and securely.

‍

For instance, an AUP may include statements like: "Company computers are to be used primarily for business purposes; do not use them to visit illegal or high-risk websites; do not install unauthorized software; do not connect personal storage devices without approval; do not share confidential data via personal email," etc.

‍

It often covers personal use of company equipment (e.g., "limited personal use is permitted but must not interfere with work or violate other policies") and possibly the reverse (using personal devices for work, referencing BYOD policy). The AUP is basically a behaviour contract that helps prevent risky activities.

‍

When employees know the boundaries - like not clicking "Agree" to random software terms or not using work email to sign up for shady services - it reduces the attack surface. For small businesses, an AUP can be a one-pager that significantly reduces confusion ("I didn't know I wasn't supposed to torrent movies on the office Wi-Fi!").

‍

It also gives you grounds to act if someone's behaviour is endangering security (like repeatedly installing torrenting software on a company laptop). AUPs should be acknowledged by employees (BrightShield, for example, can track who's read and accepted policies).

‍

Ultimately, an Acceptable Use Policy is about clarifying the rules of the road for using IT in the company, so everyone uses resources safely and appropriately.