The internet. The World Wide Web.

It’s unlikely there’s a company in existence that doesn’t rely on the internet to drive its operations, empower its employees, and affect its bottom line. When the largest global aggregate of information is at your fingertips, you’ve got access to an immensely powerful tool. 

One so powerful, the Peter Parker principle must be applied: “With great power comes great responsibility.”

To ensure that responsibility isn’t taken lightly, it’s imperative for organizations to create an Acceptable Use Policy (AUP).

A blueprint for an effective acceptable use policy

When drafting an AUP it helps to outline what you intend to accomplish. Goals may include:

  • To ensure anyone with access to the computer system has a clear understanding of company rules for internet use
  • To create an environment of safety for all employees
  • To protect the customer data, financial information, or trade secrets from data breaches, hacks, and unauthorized use
  • To prevent misuse of network resources and create and to reduce the company’s liability should their systems be used for illegal or nefarious purposes

The best AUPs find that perfect balance between allowing employees the freedom to use the internet to perform their duties and insisting those with access act responsibly while using the company’s information systems and internet resources.

To find that balance, there are or six elements every AUP needs.

The six key elements of an acceptable use policy

Whether creating an AUP from scratch or starting with a template, make sure your AUP touches all these bases.


Also referred to as a preamble, the introduction states the company’s philosophy on why internet use is important and why developing rules around that use is necessary. The introduction gives an overview of the purpose of the AUP—to protect network security, employees, and the organization. This section also touches on the personal responsibility every user has for their actions while using the computer system and network resources, plus their responsibility to support a secure business environment.


An effective security policy includes a policy statement that specifically outlines the information systems and network resources the AUP covers. When applicable, any or all the following should be mentioned within the scope:

  • Company computers and hardware
  • Company issued mobile devices
  • Software applications
  • Operating system
  • Telecommunications equipment
  • Mail servers
  • Cloud storage
  • Databases

The scope also specifies the people the AUP applies to, from full or part-time employees and remote workers to independent contractors, suppliers, and external vendors.

Note: AUP authors should strive to create a clear, concise, and not-too-lengthy document. A common practice is to refer to other policies that support the AUP. For example, if a company is regulated by federal laws, such as HIPAA, the AUP can include rules about compliance, then reference the specific HIPAA policy. Or, if business operations require outside vendors to have user accounts, the AUP should direct readers to become acquainted with the vendor risk management policy.

Code of conduct: acceptable uses

This section dives into the detailed policies unique to your operations, defining the behaviors expected for appropriate use of company resources. 

Some acceptable use examples:

  • Use of the internet for job-related activities
  • Use of electronic communications to collaborate and share useful information
  • Receive authorization before installing any new software
  • Minimize tasks that result in monopolization or waste of company resources
  • Protect passwords and authentication credentials to prevent unauthorized access

Make sure to include statements about the personal use of computer systems, email, and the internet based on your company’s protocol.

Code of conduct: unacceptable uses

To create a safe work environment and reduce the organization’s liability as much as possible, a comprehensive list of unacceptable uses is also necessary. Layout the company stance by stating that end-users are prohibited from:

  • Sending email messages with inappropriate, offensive, harassing, or illegal materials
  • Using electronic communications to distribute chain letters, unsolicited advertising, or informational announcements for personal gain
  • Engaging in online activities that may compromise network security from malware, Trojan horses, viruses, or phishing scams
  • Using company resources to participate in any illegal activities

Depending on the nature of your industry, you’ll want to address compliance issues and rules for managing copyrighted materials, trade secrets, and proprietary information. Conducting regular user access reviews will help you keep your thumb on the pulse of use policy allegiance.


An acceptable use policy must clearly articulate the consequences for “violation of this policy.” Disciplinary actions may include anything from written or verbal warnings to termination or legal actions, including civil or criminal prosecution. It’s also important to include instructions on reporting policy breaches.


The definition section of an acceptable use policy serves to eliminate misunderstandings and ambiguities. You’ll also include definitions of industry-specific words or jargon as they apply to your company. Some examples of items to define may include:

  • Information technology systems
  • Information resources
  • Data and databases
  • End users

The benefits of an acceptable use policy

When multiple people have access to information systems, financial data, customer information, or other sensitive materials, potential risks to network security increase. When applied correctly, an AUP can help counter some of those risks by creating an environment that promotes ethical values and end-user responsibilities, creating a safer environment for everyone.

In the case of policy violations, an acceptable use policy also protects the organization from cyber liabilities. 

Adopting a robust acceptable use policy is an important step in reducing risk and strengthening an entity’s overall compliance program.