One of the early steps in establishing a culture of risk management with your staff is creating a suitable Acceptable Use Policy. Before I get into how to approach this policy, let’s review how this policy is defined.
An Acceptable Use Policy is a series of rules that define what end users may or may not do with their technology. Usually, this policy requires some kind of acknowledgment that the rules are well understood, including potential consequences of violation, before issuing any kind of log into the system. A good policy not only outlines these rules but also explains the general rationale for their existence, so staff will ultimately buy into the concept and not see the rules as arbitrary or unreasonable.