Monday, 24 May 2010

Acceptable use policy

I wrote a generally applicable acceptable use policy for a computer environment for customers or companies that do not have one in place. What do you think of it? What should be added, removed, changed, fixed?

Version 0.1 DRAFT Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 1.0 Finland License

Written herein is some common sense on how you should be handling your computer and the environment in which it lives. Computers are fairly delicate tools and should be handled accordingly. Think of a lab, or a restaurant kitchen. You need to wash your hands, wear certain clothes and jump certain hoops to be allowed there, otherwise you're thrown out. But while this can seem obvious in environments like kitchens and labs, the corresponding may not hold true when it comes to computers and how to use them.

The most fundamental thing to have in mind is this: you at work is not you off-duty. When you can separate the work-you from the freetime-you, you've come a far way. If you want another parallel, think of your computer as a gun, or a fairly expensive car. Use it accordingly.

Your work computer is a tool for your work. Use it for work, only. Purchase a computer for you to toy with. It's fun and you can do whatever you want with it. So can your spouse and your children, who all should be kept at arms length from your work computer. Keep it clean. A contaminated computer can cause serious problems with business, which can be very expensive.

Use a hard-to-guess password. If your laptop gets stolen (yeah, it can happen, and not just to somebody else) make sure the bad guy only gets a chunk of fancy metal, not your company's trade secrets or a key to the back door of your office.

Your friendly IT support will worry about the well-being of your work computer. If you destroy it, contaminate it or do something foolish with it on purpose, negligence or stupidity, you will probably be frowned upon (if you wear a suit, you will be frowned upon after you leave), but you and your work computer will be taken care of. Your personal computer is off the IT support's radar and should be treated accordingly. Play with it to your heart's delight but don't call on your job's IT support to have it fixed.

Your work email address is for your work, only. Use a private email address for off-duty communications, when you don't represent your job. And should you change jobs, you'll still have your private email address. Do not forward "funny mails" from your job address within your organization (if you must, forward a link) and especially not out of it. It will make us look stupid and unprofessional.

Related to this, don't register to web sites or similar services with your work email address. Your work persona is not your off-duty persona and we have no intention making them one. And it's okay to surf porn, just don't do it on your work computer (piracy, on the other hand, is illegal). If you get a disease, at least you're not taking the whole company with you. Which, again, can be very, very expensive.

Your work's laptops, desktop computers, printers, servers (which you rarely see, but they do exist) and other things with blinking lights are connected together in a network. Simply put, what can be used on one computer on the network can be used on another computer, which is why not everybody needs a printer of their own, or an Internet connection. Since the network is a fairly intimate connection between computers, only work computers are allowed to connect to it. If the company's IT department can't carry the responsibility of its well-being, it shouldn't share the network with business critical data and applications. You wouldn't take a dog from the street into that lab or restaurant kitchen, right?

The same goes the other way. While you can VPN into the office, do that only with your work computer, never with an "unblessed" one. You can read your mail using webmail on any computer, though (remember to log off when you're done!).

All computers fail. It's not a question of if, but when. Laptops fail more frequently than servers. Thus, store all the important stuff you have on the server. Your computer may be set up so that your "Documents" folder really reside on the servers and a copy of them are invisibly made on your laptop. In that case, you're safe, as long as you save your documents into the "Documents" folder. If your computer gets driven over or falls from a high building (or a table) have things so that you can have a new computer and normality restored onto it.

That said, store only work documents on the server. Vacation pictures can be wonderful, but their place is not on company resources. Put them on a photo service on the web (Flickr, Picasa web, Photobucket), share and enjoy. Same goes for music files and, heaven forbid, videos. Your friendly IT support can open any file on the network (but won't -- they have ethics, and work to do).

As we share storage space on the server, we also share the Internet connection. If someboduy has a garguntian download or watch high definition video at work, others at work (who may want to do billable work) will have "a slower Internet".

If you blog or tweet, don't reveal your cards from work unless that is your job. Mentioning your work is okay, mentioning your work's particulars probably isn't. Mentioning your colleagues or your customers in bad light is definitely off the charts. If you feel iffy or unsure, it's probably in the not-okay-zone. The Internet has the memory of a herd of elephants.

And that's about the size of it. The Acceptable Use Policy can really be boiled down to "use common sense" and if you don't have enough of it, ask. "Stupid questions" are always better than ignorant behaviour.