Increasing use by employees of the internet for purposes both work-related and non-work-related adds to the risk of damaging security breaches.
During the Nonprofit Risk Management Center 2016 Risk Summit, Jim Jackson and Paul Henry, director of campus operations and IT and network administrator/engineer, respectively, of Momentous Institute, emphasized the importance of creating a culture of cybersecurity, and to do that they recommended an Acceptable Use Policy, a set of rules saying how an organization’s computer network may be used.
They suggested starting by doing the following:
- Identify threats and write corresponding policies to mitigate them;
- Reference examples. There will be many things somebody didn’t think of adding;
- Work closely with the human resources department; and,
- Have the final work reviewed by an attorney.
Once all that is done, they offered the following policies that should be included:
- Identify restricted activities. That includes: Accessing inappropriate websites, e.g., porn, online gaming; Installing software other than that approved by the organization; and, Using personal devices at work;
- Delineate what and how much incidental (personal) use is allowed;
- Remind users that the network is solely owned by the organization and that there should be no expectation of privacy. (Check state law.); and,
- Define consequences of violating any policy.
