{"id":231,"date":"2013-02-07T00:00:00","date_gmt":"2013-02-07T00:00:00","guid":{"rendered":"https:\/\/cyberthreatintelligencenetwork.com\/index.php\/2013\/02\/07\/communications-acceptable-use-policies-some-cybersecurity-considerations\/"},"modified":"2024-06-23T17:55:29","modified_gmt":"2024-06-23T17:55:29","slug":"communications-acceptable-use-policies-some-cybersecurity-considerations","status":"publish","type":"post","link":"https:\/\/cyberthreatintelligencenetwork.com\/index.php\/2013\/02\/07\/communications-acceptable-use-policies-some-cybersecurity-considerations\/","title":{"rendered":"Communications Acceptable Use Policies: Some Cybersecurity Considerations"},"content":{"rendered":"

Managing employee communications devices in the always-connected global business community has become an important issue for information security personnel engaged in the design of effective security policies (Kabay, 2009<\/a>).\u00a0 Key to successful management that avoids out-bound data loss and leakage and in-bound malicious attacks is buy-in and active participation by all corporate employees.\u00a0 A comprehensive Communications Acceptable Use Policy (CAUP) that addresses each issue systematically and is part of every employment agreement is also important for success (Stewart, 2002<\/a>). Select provisions of such an agreement should also be part of all third-party contracts, as well.<\/p>\n

Construction of a CAUP requires a working knowledge of the key issues that must be addressed (SANS, 2007<\/a>). To be effective, the policy design should be clearly correlated with the company\u2019s legal liabilities and use proper netiquette that is consistent with the corporate culture.\u00a0 In the banking and financial services sector (BFSS) this will include considerations of intellectual property protection, bank secrecy\/anti-fraud considerations, customer privacy and other issues (Grimm, 2010, March<\/a>). This is especially important in the Bring Your Own Device (BYOD) era where employees are increasingly blending business and personal activities through their communications devices (Roberts, 2012, October<\/a>).<\/p>\n

This paper will address some of the key components for constructing a CAUP for the BFSS.\u00a0 Legal and regulatory constructs and case (i.e. common) law will be used to substantiate my list of key components.<\/p>\n

Key Drivers
\n<\/b><\/p>\n

From a review of multiple CAUPs and the critical literature on the subject P.A. Laughton developed a hierarchical view of the importance of key drivers for the design of a CAUP.\u00a0 He found a wide range of examples that varied from being too vague, or, conversely, too restrictive (Laughton, 2008, December<\/a>). Importantly, he found that the evolving nature of Internet law showed that CAUPs must be viewed as dynamic, living documents that must be revised to reflect the changing liabilities a company faces and responsibilities employees must be informed of.<\/p>\n

Important findings among the studies he reviewed included the work of Flowers and Rakes (2000<\/a>).\u00a0 They identified four generic areas that should be included in every CAUP:\u00a0 (1) liability issues and concerns; (2) online behavior; (3) system integrity, and; (4) the quality of the content.\u00a0 Flowers and Rakes \u201cgeneric areas\u201d were adapted by Laughton in designing the list of \u201cdrivers\u201d for his hierarchical ranking.<\/p>\n

In a separate, and somewhat playful analysis by Scott and Vass a Seven P\u2019s Model is suggested:\u00a0 (1) participation; (2) partitioning; (3) philosophy; (4) privacy; (5) pernickety (do\u2019s and do nots of the policy); (6) phog phactor (ways to improve readability and reduce legalistic jargon); and (7) publication (1994<\/a>). Importantly for my analysis, Laughton uses their framework to inform his 2008 model.<\/p>\n

Laughton also found that previous studies and surveys failed to rank the relative level of importance of design drivers that should be dealt with in a CAUP.\u00a0 He offers such a ranking based on the acceptability of the CAUP to user communities and his own expert opinion.<\/p>\n

In the years since Laughton developed his model, and as companies have become more adept at crafting effective policies, the statutory, and regulatory and case law has evolved significantly.\u00a0 In fact, in the United States, legal frameworks have emerged in all of the categories of drivers originally proposed by Laughton, especially in highly regulated industries such as the BFSS.<\/p>\n

Table 1 lists some key examples specific to CAUP construction for the BFSS.<\/p>\n

Table 1.\u00a0 Laughton\u2019 Drivers and Modern Legal Frameworks for the BFSS<\/b><\/p>\n\n\n\n\n\n\n\n\n
Laughton\u2019s Driver<\/b><\/td>\nStatutory & Regulatory Frameworks<\/b><\/td>\nExamples of Case Law<\/b><\/td>\n<\/tr>\n
Legal Drivers<\/td>\nAll laws and regulations listed <\/i><\/b><\/td>\nAll cases listed <\/i><\/b><\/td>\n<\/tr>\n
Netiquette<\/td>\nTitle VII of the Civil Rights Act of 1964, as Amended; Age Discrimination Act of 1967, as Amended; Americans With Disabilities Act of 1990, as Amended<\/td>\nSmith v. Pillsbury (on professionalism in Email)<\/td>\n<\/tr>\n
Security<\/td>\nGramm-Leach-Bliley Act (specific to BFSS) Safeguards Rule (on employee\u2019s obligations to protect customer data); Sarbanes-Oxley (SOX) Section 404 Audits<\/td>\nShoars v. Epson America (on monitoring of Email)<\/td>\n<\/tr>\n
Privacy<\/td>\nOmnibus Crime Control and Safe Streets Act, Title III (on criminal investigation); Communications Assistance for Law Enforcement Act (on criminal investigations); Children\u2019s Online Privacy Protection Act of 1998, as Amended; Red Flags Rule under the Fair and Accurate Credit Transactions Act of 2003; FINRA Notices 10-06 & 11-39<\/td>\nPaul F. Ryan v. James F. Normandin (on invasion of privacy); York v. General Electric (on employee surveillance to be limited to public behavior); Rushing v. Hershey Chocolate (on routine drug screening); Double Click Inc. Privacy Litigation, [154 F. Supp. 2d 497, 502-03 (S.D.N.Y. 2001)]; 13 U.S. v. William Cannon; U.S. v. Ramos; People v. James D. Kent (on child pornography)<\/td>\n<\/tr>\n
Organizational Property<\/td>\nEconomic Espionage Act of 1996, as Amended; Computer Fraud and Abuse Act of 1986, as Amended by the USA PATRIOT Act;<\/td>\nLVRC Holdings v. Brekka (on business Email sent to personal laptop); Automatec Transactions, LLC v. IVG Holding Co.(on patent infringement); PhoneDog v. Kravitz (on follower list ownership); Litigation Mgt. Inc. V. Bourgeois (Ohio, 2011) (on non-competition); Walker Mfg. v. Hoffmann (on reverse engineering).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What becomes clear from this sampling of legal, regulatory and case law citations is that within each of the subordinate driver categories set forth by Laughton these legal drivers are vital for the design and development of a CAUP.\u00a0 Each one of the factors identified should be addressed from a legal, regulatory and case law point of view to avoid organizational liability, ensure customer and employee privacy, and protect the intellectual property of the enterprise. Therefore, the legal drivers should be envisioned as cross-cutting categories that are applicable to each of Laughton\u2019s other key drivers.<\/p>\n

I would recommend an alternative \u201chierarchy\u201d to the one proposed by Laughton.\u00a0 In my model all four of Laughton\u2019s categories are subjected, systematically, to a review of the legal, regulatory and case law history. Also notice that the order of the ranking has changed to illustrate the emphasis placed on security, privacy and intellectual property protection within the BFSS.\u00a0 For example, Netiquette, although an important factor for guiding the readability of the CAUP, is less important in this sector, given the legal liabilities companies face.<\/p>\n

Figure 2. Ginn\u2019s Model of Design Drivers for a CAUP for the BFSS<\/b><\/p>\n

Below are some examples of how these legal directives relate specifically to concerns of companies within the BFSS.\u00a0 I have used only a small sample of the laws and cases cited on Table 1, above.<\/p>\n

Security<\/b><\/p>\n

Gramm-Leach-Bliley Act (GLBA) regulated parties must protect against unauthorized access, ensure the security and confidentiality of customer records and information, and protect against any anticipated threats or hazards to the security or integrity of records.\u00a0 The Safeguards rule, issued by authority of GLBA, states that BFSS firms must develop, implement, and maintain a comprehensive information security program that is written in \u201cone or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to its size and complexity\u201d (FTC, 2002, May 23<\/a>). A key consideration for the CAUP designer will be how<\/i> to communicate this program to all employees so that they have a stake in the total security management program.\u00a0 This is where awareness training becomes an integral part of the implementation process.<\/p>\n

The Shoars v. Epson America case cited in Table 1 illustrates this point.\u00a0 In this 1994 case the plaintiff alleged that her termination occurred in retaliation for her reporting of, and refusal to go along with, interception of her Email, based on prohibitions concerning wiretapping and eavesdropping.\u00a0 A comprehensive training program and a well-designed CAUP that made the employee a partner in information security could have alerted her to the practice of company monitoring of Email communications within a less adversarial context.\u00a0 It is possible that such a training program could have helped Epson avoid this lawsuit.<\/p>\n

Privacy<\/b><\/p>\n

In my review of the privacy-related case law the majority of the cases involved enforcement action under the Children\u2019s Online Privacy Protection Act (COPPA).\u00a0 At a minimum a CAUP should specify acceptable employee behavior online regarding children\u2019s privacy.\u00a0 For purposes of this law, a child is defined as a minor under 13 years old.<\/p>\n

There are, however, many other privacy-related provisions that are more central to management considerations in the BFSS.\u00a0 Many of these are cited in the Privacy section of Table 1. Note that there are several laws that are tied to criminal investigations in the event of white collar crime and fraud.\u00a0 Forensics investigators into BFSS incidents need to know when and how their investigations can be questioned and\/or evidence excluded from a court proceeding because an accused party\u2019s right to privacy has been invaded.<\/p>\n

Organizational Property \u00a0\u00a0\u00a0\u00a0\u00a0 <\/b><\/p>\n

In September of 2011 a Grand Jury in Illinois indicted Chunlai Yang in a case involving intellectual property infringement (U.S. District Court, 2011, September<\/a>).\u00a0 The defendant had been an employee of the CME Group, a company that operated an electronic trading platform called Globex.\u00a0 He had been an employee during which time he routinely copied proprietary source code for his own personal use.\u00a0 He later opened a Chinese language trading platform that closely resembled the business logic of the Globex platform.\u00a0 The plaintiffs successfully prosecuted the case and Yang was ordered to pay compensation to his former company and turn over all corporate assets he had confiscated in the course of his employment (ibid., p.11).<\/p>\n

BFSS firms which develop proprietary business processes as account enhancements own these assets.\u00a0 These assets can give them a competitive edge in an industry with thin profit margins. This case offers one example of how case law is evolving in the area of intellectual property protection.<\/p>\n

Netiquette<\/b><\/p>\n

In an interview with the CISO for a major stock brokerage the importance of the readability of the CAUP was emphasized.\u00a0 He stated, \u201cSince policies and awareness of the policies exist to reduce risk by controlling behavior, the workforce needs clear, readable policy language. \u00a0Policy language, style, and tone will vary coordinating to company culture. \u00a0This should be expected, and the content should be reviewed annually<\/i>\u201d (personal communication, January 9, 2013).<\/p>\n

Purpose of Communications Acceptable Use Policies<\/b><\/p>\n

The importance of a well-crafted CAUP cannot be underestimated.\u00a0 This paper has emphasized the role of legal, regulatory and case law in defining the drivers that will inform the wording of a CAUP.<\/p>\n

But beyond the identification of legal, regulatory, and case law drivers discussed in this paper there is the crafting of the metrics used to measure and record compliance.\u00a0 This was emphasized in my interview with the CISO: The area to focus on is the\u00a0compliance measure and associated metrics. \u00a0When implementing any compliance program, 100% compliance is always the goal, but perfection is difficult to obtain. \u00a0So there must be acceptable, marginal, and unacceptable percentages of employees successfully completing the required policy awareness learning module.\u00a0 Start on solid footing and encourage HR to require that employee goal setting\/evaluation include adherence to required modules. <\/i>(personal communication, January 9, 2013).<\/p>\n

Two researchers from St. John\u2019s University have recently developed a schema for designing deterrence approaches for using business assets for personal actions (Ugrin, 2008, Winter<\/a>). Subsequent work on the development of a comprehensive CAUP should also include discussion of these types of methods for gauging conformance and shaping employee behaviors.<\/p>\n

Conclusions<\/b><\/p>\n

\u00a0<\/b>This paper has emphasized the role of statutes, regulations and case law in the design and development of a comprehensive CAUP.\u00a0 I have illustrated how a clear understanding of the specific issues within each of four areas can help to craft a document that can have the force of law if challenged in court. These are: (1) security; (2) privacy; (3) organizational property; and (4) netiquette.\u00a0 Although legal issues must be dealt with in a clear and concise manner, it is also important that the wording of the CAUP be understandable by all of the employees and\/or contractors subject to its provisions.\u00a0 And, for the CAUP designer, the careful construction of metrics for measuring conformance will be most important for establishing a consistent and enforceable CAUP.\u00a0 The next steps for designing a comprehensive CAUP will be to specify such metrics and measures that correlate specifically to the types of legal considerations outlined in this paper.<\/p>\n

References<\/b><\/p>\n

Children’s Online Privacy Protection Act, 15 U.S.C.\u00a0 6501-6506 (Pub. L. 105-277) (1998).<\/p>\n

Flowers, B., Rakes, G. (2000). Analyses of acceptable use policies regarding the Internet in selected K-13 schools. Journal of Research on Computing in Education, 32(3)<\/i>, 351-365.<\/p>\n

FTC, Standards for safeguarding customer information: Final rule<\/i>, 16 C.F.R. \u00a7 Part 314 (2002, May 23).<\/p>\n

Gramm\u2013Leach\u2013Bliley Act [GLBA], Pub.L. No. 106-102, 113 U.S.C., \u00a7 1338 et. seq.<\/i> Stat. (1999, November 12).<\/p>\n

Grimm, J. R. (2010, March). Intellectual property crimes. American Criminal Law Review, 47(2)<\/i>.<\/p>\n

Kabay, M. E., Kelly, S. (2009). Developing security policies. In S. Bosworth, Kabay, M.E., & Whyne, E. (Ed.), Computer Security Handbook (5th ed.)<\/i>. Hoboken, NJ: John Wiley & Sons, Inc.<\/p>\n

Laughton, P. A. (2008, December). Hierarchical analysis of acceptable use policies. InterWord Communications, Vol. 10(4)<\/i>.<\/p>\n

Roberts, P. (2012, October). Holes in BYOD: Are your security policies up to the challenge of a bring-your-own-device world? Dark Reading<\/i>. Retrieved from http:\/\/www.darkreading.com\/security\/news\/240008838\/byod-filling-the-holes-in-your-security-policy.html<\/a><\/p>\n

SANS. (2007). Information security guide: A development guide for large and small companies<\/i>. Information Security Reading Room.<\/p>\n

Sarbanes\u2013Oxley Act [SOX], Pub. L. No. 107-204, 116, \u00a7 745 et. seq.<\/i> Stat. (2002, July).<\/p>\n

Scott, V., Voss, R. (1994). Ethics and the 7 P’s of computing use policies. Ethics in Computing Age<\/i>, 61-67.<\/p>\n

Shoars v. Epson America, Case No. BC007036, Los Angeles County Superior Court (1994).<\/p>\n

Stewart, F. (2002). Internet acceptable use policies: Navigating the management, legal, and technical issues, Ch. 31 The Privacy Papers: Managing Technology, Consumer, Employee, and Legislative Actions<\/i>. Zug, Switzerland: CRC Press, LLC.<\/p>\n

U.S. v. Chunlai Yang, Violation: Title 18, U.S.C. \u00a7 1832(a)(2) and (a)(4) C.F.R. (2011, September).<\/p>\n

Ugrin, J. C., Pearson, M.J. (2008, Winter). Exploring Internet abuse in the workplace: How can we maximize deterrance efforts? Review of Business, 28(2)<\/i>. <\/p>\n","protected":false},"excerpt":{"rendered":"

Managing employee communications devices in the always-connected global business community has become an important issue for information security personnel engaged in the design of effective security policies. A comprehensive Communications Acceptable Use Policy that addresses each issue systematically and is part of every employment agreement is important for success.<\/p>\n","protected":false},"author":2,"featured_media":3691,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_theme","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[330,27],"tags":[195,197,198,199,201,202,203,205,206,207,208,210],"class_list":["post-231","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-operations","category-policy","tag-acceptable-use-policy","tag-banking-and-financial-services","tag-communications-devices","tag-comprehensive-communications","tag-effective-security","tag-employee-communications","tag-financial-services-sector","tag-hierarchical-view","tag-intellectual-property-protection","tag-legal-liabilities","tag-malicious-attacks","tag-proper-netiquette"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t