How to Create and Implement a Highly Effective Acceptable Use Policy

Sep 4, 2019Uncategorized

With the rise of new technologies (on what feels like a daily basis) comes greater risk. Technology is helpful, as it opens up new possibilities and generally makes things easier, especially at work. Unfortunately, there will always be people out there who will look for gaps in your cybersecurity.

Your tech is a gateway for these individuals. To create a culture of risk management within your organization, it’s crucial that you make sure you have an Acceptable Use Policy in place. An Acceptable Use Policy (AUP), or Intranet policy, is official documentation containing rules that govern network, computer, and data usage. It is one of the best ways to help limit any unnecessary exposure to cyber risks, such as data breaches, which ultimately protects your company’s funds and reputation.

Even if you think you already have a sufficient set of rules in place, you will want to rethink things and take this guide’s points into consideration. Creating an effective Acceptable Use Policy is growing increasingly difficult as technologies continue to become more advanced.

Let’s make sure you don’t breeze over any key points and leave your company vulnerable to cyber threats. Avoid some of the biggest dangers that lurk today by learning what we have laid out for you in this post. We’ll review what to include when creating your new Acceptable Use Policy that will educate employees on how they can help keep your network secure—and how to effectively implement an all-important AUP.

Sections to Include in Your Acceptable Use Policy

Ensure your company is well-protected from the inside out with an effective Acceptable Use Policy that follows these recommendations. Each is important for different reasons, and all will come together to help you form a comprehensive set of rules your employees should follow carefully. Studies have shown that most corporate breaches occur from human error.

That is, someone on the inside unknowingly becoming a victim and unintentionally infecting the entire network. Think twice before skipping these critical Acceptable Use Policy components to eliminate your chances of a data breach. Although each company will be a bit different, certain things should be considered as standard and taken very seriously.


For starters, make clear which systems, communications, devices, and information fall within the scope of the Acceptable Use Policy. Define any parts that could be seen as confusing so everyone is on the same page. Items that are commonly overlooked but need to be taken into consideration are details on passwords, messaging, the storage of various media, cloud computing accounts, and corporate software.

Code of Conduct

Code of Conduct ensures the appropriate behavior of your staff at all times. Unless you outline it here, they will not necessarily know the full scope of what appropriate behavior entails. Or they can claim that it was not clearly told to them from the get-go. Inferring is not enough if it ever comes down to a legal battle.

Lay out what is expected of your employees as far as violating state or federal laws, the disclosing of your company’s confidential information—or that of your clients or partners, activities that might disturb other network users, or even the use of inappropriate language while online. Be specific about what kinds of activities will not be tolerated at your organization. You may be surprised about what we’ve heard people at some companies thought they could actually get away with. Make sure you’re covered.

Business Use

Plainly define how the technology resources you are providing your employees are intended to be used for business. Direct them on the ethical conduct you expect of them while they are using corporate resources, as well as their accountability for the use of all company accounts.


In training your employees on cybersecurity matters, you’re helping them understand why they need to adhere to the guidelines you set forth. They are less likely to see your rules as strict or enforcing them as micromanaging if they know the reasoning behind them. Each employee should be led to understand why they can and cannot do certain things while using the company network.

You need to tell them how easy it is to infect or compromise their system—as well as everyone else’s—through accidentally downloaded malware, irresponsible browsing, and even unauthorized personal devices. Explain you are not just trying to deny them access to certain things on the internet by establishing your Acceptable Use Policy.

Compliance and Legal Requirements

There are also industry-specific legal requirements you should be aware of. Regulations such as HIPAA in healthcare, the GLB Act in finance and insurance, and General Data Protection Regulation (GDPR) for the EU if you collect or process information from European clients. These specific regulations all need to be considered when creating a thorough Acceptable Use Policy.

For your particular field, you might even need to abide by more than one set of compliance standards. For instance, you could be required to be both Payment Card Industry compliant and follow HIPAA if you’re a healthcare company that accepts and internally processes payments from credit cards. Detail all of this in your Acceptable Use Policy, which should be custom-tailored to your line of work. Don’t include anything that does not apply to your business in order to avoid a cluttered, disorganized document that is difficult for your workers to follow.


Types of possible questions you will want to address in this section are:

  • Why is certain data valuable?
  • What data should always be backed up?
  • Is there data that should be encrypted in transit vs. at rest?
  • How will data be processed, stored, accessed, and disposed of safely?
  • What could pose a potential weakness in how sensitive data is being handled?

An effective Acceptable Use Policy delineates precisely which types of data are regularly collected by your organization. An examination of current processes concerning internal data can help identify, and subsequently address, any weak spots that could become a target for hackers. After reading through the Acceptable Use Policy, you will have also created a general standard for employees to adhere to, regardless of whether they remember specifics of the rules.

Personal Devices

Don’t forget about personal devices. Your staff might not realize this, but personal devices are becoming increasingly popular for cybercriminals to get into company information. Therefore, it needs to be covered. Valuable data can be leaked from the smallest of places. Plug the leak, so to speak, before it happens. Although seemingly insignificant, neglecting to do so could be the oversight that sinks the ship that is your company.

Rules should be set and outlined for what corporate data is permitted on your employees’ personal devices that they bring to work or on which they access the company network. These policies you’re writing need to detail how data can be accessed, stored, and transmitted, as well as highlight any required mobile management software, security controls, antivirus programs, measures for identity management—even remote wipe tools. That is, if you even allow employees access through their personal devices at all.

Social Media

Similarly to the previous section about personal devices, such as mobile, social media is another platform often used for personal things that poses a potential risk to your company. Of course, that is not to say that your employees should not engage with social media whatsoever—it offers great marketing opportunities. However, it’s another window into the inner-workings of your business and the sensitive information of your partners, clients, and anyone else connected with your brand.

Sometimes, too much is shared—other times it’s someone from the outside with harmful intentions, trying to force their way in through phishing or by other means. An effective Acceptable Use Policy can put restrictions in place that will allay security risks. It does so by limiting the information that can be shared and consequently obtained by the wrong people.

Industry-Specific Threats

Studies indicate that cyber attackers don’t target companies at random. Rather, they go after those they feel are the easiest targets. Typically, these criminals will go after smaller companies first. After that, it depends on the industry, which tends to change from year to year. Additionally, different security measures will do different things in different fields. Thus you will want to ensure that your Acceptable Use Policy is customized to be industry-specific.

Enforcement and Consequences

Only include policies that you plan to enforce. As humans, we can be forgetful. Therefore, punishments for violations should match the level of intent, since things can happen purely by mistake. They should also vary depending on the severity of the rule that was broken. Decide ahead of time how staff will be held accountable and what is fair when crafting your policy.

There are also ways you can put up safeguards without having to worry too much about human error or malpractice. You can enforce your Acceptable Use Policy behind the scenes in more passive way by configuring computers so they cannot download untrustworthy applications from the internet. You can also restrict access to certain data and apply special filters, or firewalls.

Once you feel you have a solid draft in place, it’s a good idea to have your company’s legal team review your document. Make sure it’s distributed to each employee once finalized and keep a copy of each worker’s signed sheet for your records.

Now that you know some of the most important areas to include in your Acceptable Use Policy, it’s time to learn how to best start implementing it across your business.

Steps to Implement an Effective Acceptable Use Policy

It’s not just about making sure the policies are in the document. It’s about getting people to stay with them as much as possible for it to be the most effective. Read on to get a better sense of how to do this so that you can rest assured that your company’s information will be safe against cybercrime. You can be what stands in between your company and letting an attacker hit their target successfully.

Initiate and Establish Structures

Deciding who in your organization will be responsible for enforcing the Acceptable Use Policy is a good place to start. You may even want to make it a group effort by setting up a committee, rather than appointing an individual to police other employees on best practices.

Review and Research

Remember, to be proactive and ensure your staff stays safe when using the internet at work, they have to have the right rules that pertain to your industry. If you expect them to know what to do and what not to do, you will have to be crystal clear and highly specific when writing up your document.

Conduct your research. It’s completely alright to write several drafts. Don’t stop until you have a policy in which you are confident that it will work and nothing crucial was left out or left questionable. Also, if you recall from the previous section, you’ll want to have multiple sets of trustworthy eyes on it before it circulates.

Preparation of Draft Policy

This one is simply about formatting. You may think this is a small or insignificant matter, but often it’s the details that will get you where you need to go. Make sure your Acceptable Use Policy is broken down and organized in a way that is easy to read. You don’t want something confusing that the employee is likely to put down and give up on immediately because they think it’s not worth their time or too overwhelming.

Make it worth everyone’s time and help them see why it’s an absolutely essential tool that is to be taken very seriously. Again, one simple misstep, and everyone could be paying the price.

Circulation and Consultation

Aside from research, you might also want to consider letting the actual users have a say in it. If you get input from employees, listen. Everyone at your organization should be getting a copy of your Acceptable Use Policy, even if they won’t be on the network for most of their time at work.

When all stakeholders are allowed to offer input and feedback, you’re less likely to have an important idea slip through the cracks. Or, you could even learn that an initially included segment is unrealistic or felt to be unfair among the masses. In which case, you could work with your staff to find another solution for protection that would make them happy while still not compromising the effectiveness of your overall policy.

Ratification and Communication

Here, you’re seeing to it that everyone’s in the know and that you have that in writing. Employees should never feel surprised about something once your Acceptable Use Policy has been implemented because they all signed on it. If they have any questions, they should be asking sooner than later.

Get everyone’s agreement, regardless of department, on the entirety of your document before it gets put into action. If even one person doesn’t sign, they cannot fully be held accountable and it opens up a hole of sorts in your security. Trust us, you don’t want any weaknesses there, especially if you could have avoided them. Don’t let anyone feel as though it doesn’t pertain to them. Everyone in the company is part of the team.


We recommend allowing a three-week implementation period where the AUP is implemented in phases. This way, it will be more seamless and less jarring when it comes to everyone’s schedules. They need time to get used to its contents. Any issues should also come to light in these first few weeks, giving you or your committee plenty of time to amend anything you need to. Many companies don’t get their most effective Acceptable Use Policy version the first time.


Your marketing department, especially, will be quite familiar with this concept. You cannot really tell whether something is successful or effective without measurement. Follow people’s appropriate usage throughout the next year and beyond. Have managers check in at regular intervals to make sure everyone’s taking advantage of the work you put into your Acceptable Use Policy. It’s useless if people are not sticking to what is in the policy. Thus, monitoring the effectiveness of—and compliance with—your policy along the way is vital.

Review, Evaluation, and Revision

Something else to keep in mind: not only should you monitor and evaluate your Acceptable Use Policy over time to make sure people are listening to it or that you didn’t forget anything. Likely, it will need to change over time, regardless of how perfect it felt initially.

Times are clearly changing, which means new technologies and concepts will always arise. So you will need to keep your policies updated. If they become outdated, that lends another reason for employees to stop taking it seriously or become more easily confused with its contents.

Why This Is So Important

Keep in mind that small businesses make up over 90% of business in the country. Therefore, they play a crucial role in the supply chain and cyber attackers can’t help but thirst for their most sensitive information. Never think this shouldn’t apply to you, as even tiny networks can give skilled hackers bank account information, credit card data, employees’ and clients’ personal data, company intellectual property, and much more.

Any other organizations or networks connected with yours can be affected if yours becomes compromised. It can cost you reputation, money, time, and other resources. Breaches have easily bankrupted companies and quickly lost them the invaluable trust of customers.

As you saw in this article, so many things can pose serious security risks, from personal devices to something as simple as opening an email or putting in a password on a work computer. Hackers are becoming more advanced, and threats are dressed up very well, so your employees may never realize they’re clicking into extreme danger—if not properly prepared and educated. That’s what we’re here for.

You now know what should go into your document and how to implement it across your organization. Having an effective Acceptable Use Policy is only the beginning, though. There are many things you can do to help protect your company. We’re not ones to complain about technology—we love it! We live and breathe it.

But since cybersecurity threats grow as technology advances, it’s simultaneously becoming more wonderful and more frightening for the common worker, manager, and business owner by the day. For more tips on what you can do to minimize the potential of letting your company become the next target of malware or a terrible scheme, you can reach out or check out another helpful resource on cybersecurity. Protect yourself now before it’s too late.

Secure your company and its data


Nick Nyberg

Nick-Nyberg-Denver-IT-SupportNick, along with his business partner and friend Tony, founded Live Consulting in 2004. While working for large tech corporations, he found a passion for helping small business access the technology that larger corporations used. He and Tony started as a 2 man operation and grew LIVE Consulting to over 30 employees since and have recently earned a spot on the Inc 5000 Fastest Growing Businesses List. In his spare time, Nick scuba dives with his wife Leah, dominates at corn hole, and spends time with his two children.

Connect with Us

Subscribe to our Blog!

Post Categories

New Call-to-action



Contact Us

Tired of letting IT issues run your business? We’re here to help. Don’t worry, we leave our IT jargon at the office because we know you’re not an IT techy, that’s why you called us.