Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  685



                   them to a coworker who decided to sue the company for creating a hos-
                   tile work environment. The signed acceptable use policy could be used in
                   defense of the company, but the court may decide that since the com-
                   pany had never enforced the policy, they, in essence, created an environ-
                   ment that allowed this kind of behavior to occur.

                    Many organizations implement acceptable use policies as contracts between the
                 company and the employee, and require workers to sign a copy of the policy to
                 show that they agree to abide by it. Since schools teach computer skills in early
                 grades, parents and guardians are routinely asked to sign such policies on behalf of
                 minors.Through these contracts, organizations have justifiable reason to fire
                 employees or (in the case of schools) expel students who violate the agreement. In
                 extreme cases, it can be used as evidence for prosecution. Because the responsibility
                 of adhering to the policy is placed on the person signing it, organizations can also
                 use the signed acceptable use policy as part of their defense from litigation. For
                 example, if an employee hacks a competitor’s Web site, a company could use the
                 signed policy to show the onus of responsibility rests with the employee and not
                 the company itself.
                    What is the best way to enforce an acceptable use policy? Audits should be
                 conducted on a regular basis, inclusive of audits of data stored in personal directo-
                 ries and local hard disks and audits of firewall and system logs, to determine what
                 has been accessed. In cases where suspected breaches of policy have occurred, e-
                 mail messages may also be audited. Because courts have generally held that
                 employees have no reasonable expectation to privacy regarding data stored on com-
                 puters belonging to a company means that such audits can occur regularly and
                 without warning.To ensure users are aware that these audits occur, and inform
                 them that the organization takes its acceptable use policy seriously, mention of such
                 measures should be included in the policy.
                 Due Care


                 Due care is the level of care that a reasonable person would exercise in a given situa-
                 tion, and is used to address problems of negligence. Due care may appear as a
                 policy or concept mentioned in other policies of an organization. Put simply, an
                 organization and its employees must be careful with equipment, data, and other
                 elements making up the electronic infrastructure. Irresponsible use can cause lia-
                 bility risks for an organization, or result in termination of a careless employee.





                                                                              www.syngress.com