Best practices in network acceptable-use policies

When it comes to designing and managing enterprise networks, it's easy to feel like you're reinventing the wheel. From dealing with viruses and other threats to extending your network to customers and remote employees, to dealing with network optimization, there are so many considerations that it can often feel overwhelming and isolating.

To make things more complex, for every new thought you might have about how to improve your network or make it safer or boost productivity, there are myriad software packages, gear and industry models that you have to sift through to find a match for your environment.

In this column, I'll help guide you through some of these difficult challenges. I'll share with you what other network professionals have done -- successfully and not so successfully (sometimes it's better to learn from other people's mistakes). I'll also tell you about emerging market trends and technologies on the horizon.

In the end, what you'll have is a set of best practices and in-depth knowledge to handle a host of situations you're bound to encounter -- everything from dealing with wireless networks to managing gadget mania to automating security throughout the network. As you put these guidelines to use, feel free to send me feedback that will help your colleagues who are struggling with the same issues.

I have more than a decade of experience covering networking and IT technologies that range from mainframes and grid computing to application acceleration and mobile devices. You name it, I've researched it. I've also built a network of contacts at companies worldwide that are willing to share their experiences with you. Some are bleeding-edge, some are more conservative in their endeavors. Some are high-level, dealing more with business issues, others are in the muck flipping bits. All have tremendous insight into the state of the industry that will help you avoid serious pitfalls.

Invariably, if you ask any of them what their biggest ongoing challenge is, they'll say their users. Users bring viruses to the network. They can make or break the success of any rollout. And users absorb time and resources with questions and problems.

Many network pros try to stay ahead of the game by focusing on user education. They stress the importance of communication between the network staff and the user community. Without it, they say, users run amok and cause serious problems.

I recommend starting with an acceptable-use policy that clearly outlines what users can and can't do on the network -- everything from when and if it's appropriate to access personal e-mail at work to installing their own wireless networks.

The goal is to be clear, concise and leave nothing to chance. Here are some tips:

  • Take time with senior executives and business-unit leaders to map out the organization's priorities. Detail what you can't afford to have happen in the network from a business continuity standpoint and map that information to user responsibilities.

    For instance, if you don't want customer lists to be jeopardized, then you should create a policy that says that those lists can't be downloaded onto handheld devices; they must stay behind the corporate firewall. Or if you don't want to run the risk of having financial data stolen, then you should lock down employees' access to only corporate-approved machines. This avoids the chance that workers accessing the network from home could tamper with those files. Another example is banning the use of consumer instant messaging or gadgets with hard drives, like MP3 players. This could prevent data from being taken off the network.

  • Make sure your policy is in line with your business. If you don't have to follow strict regulations, then you don't have to be as strict in your policy.

  • Make sure you explain why you are creating these policies. Perhaps your company must comply with regulations such as Health Insurance Portability and Accountability Act or the Sarbanes-Oxley Act, or your insurance company requires you to have data-protection rules in place. Whatever the reason, share it with your employees so they feel like stakeholders in the process.

  • Hold meetings periodically (once per year is a best practice) to explain the acceptable-use policy to employees, including any changes, and then have them sign the document. This avoids the inevitable "but I didn't know" excuse you might encounter if you try to enforce the policy.

  • Be able to back up the policy. Make sure you have network monitoring tools in place to enforce your policy. If an illegal application is downloaded, you should be able to immediately pinpoint the user and the machine in a timely fashion. And make sure that senior management is behind any penalty you dole out. For instance, if you have to cut off a person's instant messaging access because he is abusing the privilege, be sure executives are in sync with this punishment.

  • Be flexible. If you see that times are changing and you either need to tighten or loosen your policy, don't be afraid to do so. For instance, if instant messaging is gaining traction as a business tool, revisit your policy and make adjustments accordingly. It's important the policy protects the network without standing in the way of business.

If you have any additions to what makes for a successful acceptable use policy, let me know at Also, e-mail me if there are specific topics you'd like to see covered in future columns.


Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon