A good acceptable use policy does two things — it provides guidance on how to use networks and equipment, and marks clear restrictions that protect users and organization data from harmful situations. Here are the top five restrictions you should consider when writing your acceptable use policy.
1. Accessing organization data for purposes not related to work duties. There are a lot of innocent reasons why a staff member might dig into your data. Maybe the person is proud of the work on a recent campaign and wants to share the results with a few people. Or, maybe a board member is looking for someone to do yard work and wants to browse the client list. But innocent intentions could have severe consequences for clients, donors, or your nonprofit’s reputation when the lines between personal and professional use of data get blurred.
2. Using organization computers or other technology for personal commercial use. The people who give your organization data are trusting that you’ll use it to further a cause. Someone trying to profit from that data can make your mission seem insincere or even fraudulent.
3. Unauthorized attempts to intercept data not intended for you. It’s natural to be curious about what’s happening in other parts of your organization and generally it’s a good idea to openly share information. But every organization is going to have some sensitive data. Clearly delineating who can and cannot see particular types of data will make it easier for staffers to know where not go browsing and will make spying or data theft a clear policy violation.
4. Circumventing user authentication or security procedures. It might seem convenient to find some workaround that doesn’t require a password or running antivirus software, but in the age of botnets and ransomware, the convenience is not worth the risk. Every staff member should be using technology that’s above the minimum standards outlined in your policy and anyone knowingly working below those standards should face severe penalties.
5. Sharing personal information about other staff members with unauthorized parties outside of the organization. Helpfulness is not always a virtue. Imagine someone calls the office and claims to be a nonprofit partner and he urgently needs to get a signed document to Sharon. He just needs to know where she is on Mondays. Also, he lost her cell phone number and it would be a big help if you looked it up. The person might be telling the truth, but if he isn’t, you could be putting Sharon in danger. That’s not a risk your organization should take.