Supporting Technology

What exactly is it?

An acceptable use policy (AUP) describes the rights and responsibilities of anyone using resources, such as computers, the Internet, video cameras etc. It explains the procedures they are expected to follow and makes clear what is considered acceptable behaviour when using it.

You may ask staff, volunteers, clients, trustees and partners to sign your AUP before they are allowed to use your equipment. It should certainly be part of your induction documentation and available on request. If you provide public access it should also be put on paper and posted in prominent places.

What is covered will be dictated by the nature of your equipment, the people using it and your views on what is acceptable.

Why have a policy?

A policy is a deliberate plan of action to guide decisions and achieve a rational outcome. Policies are the defined working procedures within a particular organisation and set out the ethos of that organisation. Those that use your ICT need defined boundaries and guidance to define what is and is not considered acceptable use of ICT. It is also as much about protecting the owners of the equipment as it is the user. This will act as an agreement that users agree to and understand the terms and conditions of using ICT within your organisation.

What should be in it?

The following headings are examples of the sort of content that should be covered in an AUP.

Introduction

Who theAUP applies to, what it covers, how it is communicated to users.

Disciplinary procedure

What are the consequences if policy is breached and how it fits with other disciplinary procedures.

General computer use

Health and safety issues, safekeeping of hardware, security, food and drink around PCs, attitude to personal use, installing software, copying software, reporting faults, response times expected.

File management

How to store documents on local and server drives, good housekeeping, limits on data stored, security issues, who has permission to access what, how long documents need to be kept for.

Use of email

Which software to use, expected work-related usage, house styles - e.g. html or text, monitoring by organisation, email etiquette expectations. Acceptable personal use, if any, use of personal web mail addresses, sending and receiving attachments, anti-social or unacceptable usage, e.g. passing on chain mail, jokes, links to websites, spam, animations, hoax virus warnings, etc.

How to avoid spam, use of out-of-office notifications, archiving messages, membership of mailing/discussion lists.

Signature files

Format and content, e.g. name, job title, organisation, address, email and web addresses, company and charity numbers.

Web and other online usage

Which staff have web access, expected work-related usage, use of site-filtering software or services, downloading files, large files, streaming audio, acceptable personal use, if any.

Offensive material

Define the expectations of the organisation as much as you can, refer to other policies, such as equal opportunities and disciplinary procedures, make it clear what the process is and who decides what is offensive.

Messaging/chat

Use of chat programmes like MSN within the organisation, acceptable personal usage, if any.

Purchasing procedures

Budget approval procedures, established sources, quotations required.

Online purchasing

Current use of online purchasing, care when purchasing online, procedure for using accounts or credit cards.

Security

Physical security of building, what is in the inventory, how to report changes and mark equipment, what is and isn't covered by insurance policies.

Data protection

Requirements applicable to the organisation under Data ProtectionAct 1998 - see the next page on data protection policy.

Passwords

List of logins required for working, procedures for logging in and out of systems, advice on how to create secure passwords (see box).

Back-ups

Who, when, how, and responsibilities of system users. Disaster recovery plans and requirements.

Anti-virus

Which software is used and update procedures, how to avoid viruses and what to do if you think you have one.

Your network

Who is responsible for what, e.g. backing up data, server administration, reviewing users, licence tracking, equipment auditing troubleshooting, etc.

File management

Where users store documents (e.g. on fileserver or on local machine in My Documents).

Training

Induction details, e.g. introduction to the systems, file management, specialist software,AUP, identifying training needs, link to other procedures such as supervision and appraisals, what training can reasonably be expected.