Appendix B. Sample Acceptable Usage Policy

Appendix B. Sample Acceptable Usage Policy

The following is a sample Acceptable Usage Policy.

Company X Information Security Policy
Section 003: Internet Access and Usage


While Company X wants to maintain our culture of trust, openness, and integrity, we must also protect employees, partners, and the company itself from illegal or damaging actions by individuals, either knowingly or unknowingly. This document describes Company X's official policy regarding Internet security and access.

Internet/intranet/extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Company X. These systems are to be used for business purposes, supporting the needs of the company and clients thereof.

Each person who deals with information and/or information systems plays a role in an effective security process. All computer users are responsible for knowing these guidelines and must conduct themselves accordingly.


A. Downloads: All nontext files (databases, software object code, spreadsheets, formatted word processing package files, and so on) downloaded from non?Company X sources via the Internet must be screened with virus detection software prior to being installed or executed. Whenever an external provider of the software is not trusted, downloaded software should be tested on a standalone nonproduction machine that has been recently backed up. If this software contains a virus, worm, or Trojan horse, damage will be restricted to the involved machine only.


A. Information Exchange: Company X's software, documentation, and all other types of internal information must not be sold or otherwise transferred to any non?Company X party for any purposes other than business purposes expressly authorized by management. Exchanges of software and/or data between Company X and any third party may not proceed unless a written agreement has first been signed. Such an agreement must specify the terms of the exchange as well as the ways in which the software and/or data are to be handled and protected. Regular business practices, such as shipment of a product in response to a customer purchase order, need not involve such a specific agreement because the terms are implied.

B. Message Interception: Wiretapping and other types of message interception are straightforward and frequently encountered on the Internet. Accordingly, Company X's secret, proprietary, or private information must not be sent over the Internet unless it has first been encrypted by approved methods described in Section 005 of the Information Security Policy. Unless specifically known to be in the public domain, source code must always be encrypted before being sent over the Internet.

C. Security Parameters: Credit card numbers, telephone calling card numbers, fixed login passwords, and other security parameters that can be used to gain access to goods or services must not be sent over the Internet in readable form. The use of 128-bit or greater encryption is an acceptable Internet encryption standard for the protection of security parameters. The Security Council must approve other encryption processes or standards.


A. User Authentication: All users wishing to establish a real-time connection with Company X's internal computers via the Internet must authenticate themselves at a firewall before gaining access to Company X's internal network. This authentication process must be achieved via a dynamic password system approved by the Chief Security Officer. Examples of approved technology include handheld smart cards with dynamic passwords and user-transparent challenge/response systems. These systems will prevent intruders from guessing fixed passwords or from replaying a fixed password captured via a "sniffer attack" (wiretap). Designated "public" systems (anonymous FTP, Web surfing, and so on) do not need user authentication processes because anonymous interactions are expected.

B. Internet Service Providers: With the exception of telecommuters and mobile computer users, workers must not employ Internet Service Provider (ISP) accounts and dial-up lines to access the Internet with Company X's computers. Instead, all Internet activity must pass through Company X's firewalls so that access controls and related security mechanisms can be applied.

C. Vendors, Partners, and Suppliers: Any external party connecting to any part of Company X's information network must abide by Company X's security policies. No connection is permitted until approved in writing by the Security Council. The outside party must fully understand and agree to all security terms and conditions. Any and all such connections must be limited to only what the clients need, and no more. An example would include having an isolated, protected network for vendor or partner connections.


A. No Default Protection: Workers using Company X's information systems and/or the Internet should realize that their communications are not automatically protected from being viewed by third parties. Unless encryption is used, workers should not send information over the Internet if they consider it to be confidential or private.

B. Management Review: At any time and without prior notice, Company X's management reserves the right to examine electronic mail messages, files on personal computers, Web browser cache files, Web browser bookmarks, and other information stored on or passing through Company X's computers. Such management access assures compliance with internal policies, assists with internal investigations, and assists with the management of Company X's information systems.

C. Logging: Company X routinely logs Web sites visited, files downloaded, time spent on the Internet, and related information. Department managers may receive reports of such information and use it to determine what types of Internet usage are appropriate for the business activities of their departments.