Acceptable Use Policy Template for User Level Passwords

November 6, 2014 by

Dan Virgillito

As technology radically shapes the working environment of users across the globe, we are also responsible for keeping up with the security trends to avoid data breach and hacking incidents.

Whether you're in a profit or non-profit organization, creating an Acceptable Use Policy (AUP) template specifically for user level passwords can be beneficial for your team, including the employees, managers, vendors, affiliates, and other parties.

Did you know that…

• BYOD security incidents have cost organizations over $250,000 [a]
• Android operating system posed more risks compared to other mobile OS [b]
• Regardless of the size, organizations constantly receive external attacks [c]
• 73% of large organizations have been infected by viruses and malicious software [d]
• 92% of security incidents have this nine pattern of attacks, according to Verizon's Data Breach Investigation Report 2014 [e]

One of the growing trends in business and technology is the BYOD (Bring-Your-Own-Device) model, which many organizations are practicing nowadays. To mitigate the security incidents, an AUP template is required.

It's important that the policy is written using a simple yet informative language, avoiding the use of IT jargons and using words that the staff—from rank-and-file, administrative to c-suite level—will easily understand.

What is an Acceptable Use Policy Template?

There's a common template for an Acceptable Use Policy that organizations can follow, which is amendable to best fit their IT structure (systems) or working environment. This is a requisite and it's non-negotiable for organizations that adopt on-premise and hybrid structure (in-house and in a remote environment) to secure data exchange across the devices.

An Acceptable Use Policy may come from the IT department and its collaboration with other head departments, C-suite executives and even the CEO. Generally, the AUP outlines the following elements:

• Overview and/or Purpose – briefly outlines the purpose and background of the policy.
• Scope – includes the users, devices, and networks involved in the policy.
• Applicability – defines to whom the policy is applicable, and it can also be synonymous with the scope section.
• Definitions – outlining important terms and words used with expanded notes in the context of which they're being used (e.g. systems – pertain to network devices that the organization owns).
• Responsibility – individual responsibilities of users.
• General Policy and Guidelines – these include sections and sub-sections that outline the rules in device and password managements, as well as detailed procedures for miscellaneous data handling and security measures.
• Acceptable Use and/or Compliance – proper conduct and usage on the organization's virtual and IT assets, including communication rules online and offline.
• Related Documents and References – applicable if the policy has references and support resources.
• Fair Share Resources – rules imposed for shared data and other resources from the organization and third-party affiliates.
• Enforcement – outlines the violations, jurisdictions, and consequences of employee(s) for failure to comply.

In short, an Acceptable Use Policy, or also called Fair Use Policy, includes a set of rules imposed by the organization or manager on how the entire network or system may be used.

Under the General Policy and Guidelines, they may include user level passwords: the instructions on how the employees will apply the rules or procedures. In layman's terms, we can also label them as the "do's and don'ts" in password management across devices such as computers, laptops, tablets, and smartphones of different user roles.

Narrowing Down the Rules to User Level Passwords

To come up with an Acceptable Use Policy template for user level passwords (ULP), the organization should consider the consequences (e.g. termination, force resignation or reduce the privileges) once an employee fails to comply with the procedures, which should be highlighted in the Enforcement section. They can either include a set of rules for an ULP or create a separate policy, specifically in this section only.

There are two labels of user-level passwords:

• General user-level passwords – pertaining to (web) e-mail, desktops, laptops, and mobile device clients, etc.
• User-level passwords – pertaining to passwords of user roles such as IT, HR, Finance, Administrative departments and other users who have job functions with significant user roles.
  • Marketing department
  • Creative and multimedia department
  • Sales department
  • Executive and C-suite levels
  • Independent contractors and affiliates

Why Creating an Acceptable Use Policy for an ULP is Important

The organization can create a systematic and detailed approach for the AUP as well as a policy for user level passwords (ULP) separately for urgent dissemination across the teams and users. It's important to have a handbook of password management policy and to be authenticated for its effectiveness. In this way, it will:

• Educate the staff for proper device and password management – your organization can include a short briefing about the password management and regulations for computers and mobile devices, whether shared or for personal use.
• Mitigate security incidents for BYOD – you can create regulations on the frequencies of password updates across devices for corporate use to lessen the security incidents and SOPs for creating strong passwords.
• Prepare the staff for external attacks – provide insights and tips on basic defenses when it comes to external attacks and malicious software, especially when network devices are connected to the Internet.
• Provide guidelines for stolen devices – inform the staff on urgent reporting for stolen devices, whether for personal use or for BYOD or corporate-owned devices.

Examples of an Acceptable Use Policy for an ULP

Here are samples used in universities, government, and non-profit organizations.

SANS Institute for the Internet Community – this 7-page AUP includes the abovementioned outline for the template policy. InfoSec created it for the benefit of the SANS Internet community for fair use and also included additional guidelines using the FAQs.

Truman State University – the policy is more specific, which is entitled as "Password Management Policy" for the university's systems that have Truman accounts and passwords. The policy statement also included system-level passwords, user-level passwords and SOPs for changes and updates (e.g. the user-level passwords must be changed at least every 90 days).

National Center for Education Statistics – you'll find several samples on this page, including an AUP for Internet and electronic devices, email policy, password policy, and dial-in access. You'll find a list of requirements for strong passwords and samples of pass-phrases for more secured accounts.

How to Create an Effective Acceptable Use Policy for an ULP

Creating a separate policy for user level passwords may include head departments to work with the CIO or third-party IT affiliate on the elements, outline, and structure. As mentioned earlier, there's a general template for acceptable use policy, but depending on the type of organization, you can amend it based on your objectives and resources. An effective policy has the following characteristics:

1. Clarity on Overview and Purpose – it must be straightforward and summarized for readers to easily understand the objectives and purpose. Be concise, clear, and communicative.
2. Specificity With Contact People – the policy must always include the contact people who are responsible in creating it; they can be authorized personnel who are equipped to answer the users' questions or queries regarding the sections and guidelines as stated.
3. Systematic Approach – this will help the employees follow the rules in a methodical way through the outline—from the policy statements to enforcement and definition of terms.
4. Readable and Adaptable – pick the right words on pages and avoid technical terms if possible, and maximize the definition of terms to expand the meaning and context of the words and phrases used.
5. Detailed Revision History – since security trends evolve, it's important to take note of the revision history to track the changes and keep everyone updated.

For large organizations that have several departments in one roof, it's highly recommended to require user-level password holders to update and make changes or set expiration dates, whether on a yearly, semi-annually, or quarterly basis. BYOD adopters must possess a stricter fair use policy to protect the organization's IT resources and data.

You may impose password requirements for more secured the accounts just like the conditions written in the sample policies from the three organizations mentioned earlier. The requirements may include the following:

• Password expiration (maximum days)
• Definition of weak passwords (inclusion of names, birthday, company names, etc.)
• Elements of acceptable passwords (inclusion of upper and lower cases, special characters, numbers, alphanumeric combinations and symbols, etc.)
• Number of characters or length of passwords
• Password authentication across multiple devices and clients

Examples of Best Practices for Safe Password Management

Here are some samples of UPL for guidelines found in National Center for Education Statistics:

1. Passwords should never be stored online.
2. Refrain from using the same password for personal and corporate accounts.
3. The IT department can conduct password cracking or guessing randomly to check the strength of passwords of users; if they are cracked or guessed, users are required to change to protect their accounts.
4. Use a passphrase on passwords for remote users.
5. Decline the "Remember Password" prompt box of web browsers, regardless if you're using a private or shared computer.

The Takeaway for User-Level Passwords

It doesn't matter whether you're running a small or large organization, what's important is that you establish a rock-solid fair use policy for everyone to follow.

Be intentional in performing a password policy induction, especially for new employees, whether in-house or remote users who will have access to your network resources such as corporate email clients.

An Acceptable Use Policy for an ULP is the backbone for securing your data and IT resources. Always remember to write succinct and clear statements that the staff will easily read and understand.