A new take on personal-use rules

It might be time to dust off the acceptable-use policy.

Government organizations have had such policies in place for years to spell out what employees can and can’t do when using the Internet, e-mail and other enterprise information technology resources.

But the proliferation of Web 2.0 technologies and the evolving regulatory compliance landscape have compelled many agencies to re-examine their acceptable-use policies. Security executives point out that many of the acceptable-use documents in use today predate the advent of blogs, wikis and social-networking sites. Policies may also fail to reflect the requirements of such regulations as the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act.

“We’re in the process of doing that right now,” said Dan Lohrmann, Michigan’s chief information security officer. “The statewide, government acceptable-use policy…was written six years ago and doesn’t include anything about social networking and Web 2.0.”

However, making policies relevant is only part of the acceptable-use policy challenge. Agencies also confront the perennial task of making them work. Employers aim for voluntary compliance but often deploy content monitoring technology to help with enforcement.

Policies ripe for change
An acceptable-use policy is typically distilled from an organization’s overarching IT security policy and stated in layperson’s terms. That makes it the key document for communicating an organization’s security stance and expectations for employee use of IT resources, said Dick Mackey, vice president of consulting at SystemExperts.

“The policy that, in fact, has the most direct impact on users in an organization is the acceptable-use policy,” he said.

In the government, an employee reads and signs one or more acceptable use policy documents as a condition for using IT assets, said Doug Chabot, principal solutions architect with QinetiQ North America’s Mission Solutions Group.

“Government agencies are looking to manage their legal exposure,” Chabot said. The policies also involve managing data security and what people are doing with their time, he added.

When creating policies, agencies view IT usage through a couple of core tenets.

Simon Szykman, chief information officer at the National Institute of Standards and Technology, said his organization’s high-level principles include whether the use benefits NIST, whether it complies with government laws and regulations, and whether it adversely affects the operations or reputation of NIST or other organizations and individuals.

NIST and other agencies must now apply their usage principles to new developments, Web 2.0 in particular. Szykman said NIST is reviewing its policies in light of Web 2.0 “to assess what kinds of changes we need to make.”

When it come to the business use of Web 2.0, Szykman said NIST needs a policy framework that distinguishes between ad hoc communications and more formal publishing of information. NIST already has a review process for publications and information that appears on its Web site. The current task is to decide how to handle newer forms of communication.

“Is creating a blog entry more like e-mail or more like publishing?” Szykman asked. “What about putting a video up on a third-party Web site?  We have existing policies and procedures for communications and information dissemination of traditional media — e-mail, written documents, static Web content — that need to be updated to adapt them to new media.”

Lena Trudeau, program area director of strategic initiatives at the National Academy of Public Administration, noted that a number of agencies are addressing Web 2.0 policy. She cited the Navy’s work on a wiki policy and the terms-of-use policy the State Department has created for its internal Diplopedia wiki.

Trudeau said agencies have been mostly on their own when it comes to crafting policy, but she hopes to change that through the NAPA-supported Collaboration Project. That project, which provides a forum for sharing ideas on Web 2.0 adoption in government, will host a Web 2.0 policy conference this month or early next year. The conference will bring together IT security, Web site management, records management and other agency personnel.

Trudeau said the objective is to create a draft set of core Web 2.0 policies that can be circulated across agencies for their comments and, ultimately, adoption.

Michigan, meanwhile, is in the early stages of revising its acceptable-use policy. Lohrmann said the state seeks to find a middle ground between banning Web 2.0 sites and permitting unfettered use.

“Whether it is MySpace or Facebook or YouTube or Twitter or Second Life, how do you open it up…and how do you have accountability around that?” Lohrmann asked. “That is the overarching issue.”

The evolution of Web 2.0 policies is also playing out at the state level, said Charles Robb, issue coordinator at the National Association of State Chief Information Officers.

Robb cited the example of Kentucky state government, where he previously worked. The state initially attempted to ban Web 2.0 tools but relented when the prohibition was viewed as a business constraint. The updated policy said state employees could browse wikis and blogs but not write on them. That policy changed again to permit writing in cases of a legitimate business need.

Mackey said regulatory compliance also drives the revision of acceptable-use policies. SystemExperts usually finds that customers’ policies require alteration when it conducts compliance assessments, he said.

From policy to enforcement
Penalties for violating acceptable-use policies range from account suspension to legal action. At NIST, enforcement is largely a matter of policy and accountability.

“There’s a general culture of trust where we assume that people are doing what they should be doing and not doing what they shouldn’t be doing,” Szykman said.  “When it comes to light that individuals have broken that trust, existing policies allow for people to be held
accountable through a broad range of responses.”

The possible responses include informal coaching and counseling, formal disciplinary action, termination of employment, and criminal prosecution if warranted, he said.

In addition to policy, most agencies wield technology to enforce acceptable use, Chabot said. He noted that organizations typically use a patchwork of tools to do the job.

These include firewalls configured to block access to Web sites. Content monitoring and filtering technology analyzes Web site and e-mail content, which can be blocked if deemed a policy violation. Data loss prevention software flags and monitors sensitive data to prevent unauthorized transmission.

Government deployment of technology varies. For example, Michigan uses SurfControl, now marketed by Websense, for Web filtering, Lohrmann said. The state has a formal process for blocking sites and an exception process for unblocking access if a legitimate need exists.

NIST, on the other hand, doesn’t block access.

“From a technology perspective, we don’t do Web site blocking or content filtering,” Szykman said. “We do perform network monitoring, but it’s done to monitor how people are using our network in order to help IT management and operations, and to help ensure security.”