The Future of Acceptable Use Policy

Not only are our acceptable use policies (AUPs) not keeping pace with the latest uses of business and personal technology. We are also failing to address the more radical changes that we can expect to counter in the future business world. But some organisations are waking up. Yesterday a colleague from a leading pharmaceutical company raised two challenging questions on AUPs.

The first challenge is what an AUP would look like in a de-perimeterised world. Traditional AUPs have a stack of restrictions. They’re full of do’s and don’ts. Mainly the latter. Don’t connect non-company computers to the network. Don’t send work to your hotmail account. Don’t use USB devices. Don’t install personal software. Don’t connect your iPod. Don’t blog. Don’t instant message. Don’t use your work email for private communications. And so on. In the future we will need to become much less prescriptive. Ultimately the AUP might well boil down to a simple commandment such as “look after company data as though it were your own”. But such a vague statement might be difficult to enforce in industrial tribunals.

The second challenge is how do you manage acceptable use policy in a virtual world such as Second Life? Many companies are now beginning to explore this new environment for business purposes. What constitutes acceptable use in an imaginary world with no laws, regulation or policing? Is it work or play? Is it fantasy or reality?

These questions reflect the problems raised by the continued erosion of the traditional boundary between business and personal lifestyles. Unlike the Industrial Age, the Information Age does not require a highly structured and regulated work environment. So we can expect a steady drift towards a more flexible and less formal way of doing business. The challenge is to understand, accept and manage the risks introduced by this fundamental paradigm shift.

Three things can help. One is the use of modern security technology to enable finer-grained, real-time monitoring and management of employee behaviour against complex, fast-changing policies. The second is comprehensive and frequent education of users about new security risks and policies. The third is the introduction of imaginative and effective motivators to reward or discourage particular types of behaviour.

Doing nothing is not an option. Neither is simply advising users to “be careful out there”. Because otherwise we will be slowly sleepwalking into an unmanaged and highly dangerous business environment.