New Year Resolution: update acceptable use policy to include Web 2.0

Happy New Year!It is very tempting to write about the top ten technology gadgets of 2008 or the top ten security problems for 2009, but I just can’t take anymore! Who let the paparazzi into technology reporting? Those articles would be more valuable if the authors would evaluate their predictions from the previous year and compare their results. That will help me decide if I should continue to read these technology commentators!<stepping off soapbox>Many of the companies that Enclave Security works with have implemented some sort of acceptable use policy governing employee’s use of computers, networks, and mobile devices. We recommend that companies review and revise their information security policies at least once a year. Many acceptable use policies do not address personal use of Web 2.0 applications. With the advent of blogs, wikis, Facebook, and LinkedIn networks, many employees are accessing and contributing to these Web 2.0 technologies during work from corporate network. Many times employees are using these Web 2.0 technologies for personal use.I am not going to say if your company should allow personal use it or not. That is personal! <Ba ha ha> That decision is based on company culture. I will say that as you review and update your acceptable use policy, take a moment to think about your particular organization’s philosophy and work style. The company’s work environment is really distilled into the company’s acceptable use policy. What kind of company do you work for?If you are the security professional writing or modifying an acceptable use policy, here are some question to ask and ideas to ponder as you revise your policies this year:

  • Does your company have internal social networking tools that employees can use instead? Internal social networking tools can drive innovation and employee loyalty.
  • Do social networking sites add value to your business? Are the employees saying good things about the company, and providing good marketing? Or, are employees complaining about the company?
  • Could your company be losing confidential information or intellectual property on external social networking sites?
  • Is employee productivity increased or decreased by allowing external social networking applications?
  • Is your company’s acceptable use policy so limiting that employees are disregarding it?
  • Are employees actively circumventing technical, and operation controls to access social networking sites?

So, as you are updating information security policies, strive to understand your company’s culture and I predict that your polices will have more voluntary compliance in 2009!Let’s visit this again in 11 months!