Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
We invite you to send your information systems audit, control and security questions to:
HelpSource Q&AISACA Journal3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAEmail: firstname.lastname@example.org
It is very common for many organisations to have policies on acceptable use of systems, applications and other resources. Often such policies have a tenet stating that limited personal use is allowed. How do you define ‘limited personal use’? How do you determine that someone has exceeded the permitted limit? Can any metrics be used to determine whether someone exceeds acceptable limits?
Do you have suggestions in terms of how to make the ‘acceptable-use policy’ slightly more prescriptive, with a set of controls rather than cryptic statements stating that limited personal usage is allowed?
Brilliant question, although it does not have an easy answer.
Let us start with a few real-life examples. A CEO of a well-known Irish bank was sacked for exceeding the limit of acceptable personal use of his bank-funded Internet facilities. Whilst on a business trip, sitting in his hotel and using his bank-provided laptop, he browsed some escort-related web sites. Once this became known to the bank, he lost his job. What if the same person had used his employer-provided mobile phone to make calls to an escorting agency? Would it have meant violation of the bank’s policy on acceptable use of bank-provided devices and equipment? Or, did it become an issue because the trail left on the laptop was more obvious than some obscure telephone numbers?
In another case, a mayor of a large US city landed in a controversy when more than 14,000 text messages exchanged with one of his colleagues, with whom he had had an illicit affair, became public. At least, in this case, it can be said that the mayor committed an unacceptable act of moral turpitude and landed himself in trouble. Of course, in the process, he used his employer-provided equipment to send 14,000-plus text messages.
Gambling is deemed illegal in some countries, whereas it is perfectly legal in others. So, if an employee chooses to enter a gambling web site, he may be violating the law of the land, in the first place. No employer will tolerate an employee indulging in something illegal. The same act might be considered acceptable in countries in which the law does not expressly forbid gambling. It can be an act of immorality, depending on the value system, but it may not be illegal in the eyes of the law.
Any act of browsing that crosses the acceptable law of the land can fall under ‘limited personal use’.
The following parameters can be used to define the limits of acceptability:
The point is that it is not always about excessive use of company resources. Even a personal act of an employee using company resources can land its employer in trouble. Let us take an actual incident that occurred in the UK: When an employee quit a law firm, her previous boss wrote an e-mail to his colleague stating that she could be replaced with a ‘busty blonde’. The person who left the organisation somehow got hold of this e-mail, and, as a result, the company paid thousands of UK pounds in damages.
Each organization may have its own definition of ‘limited personal use’, but it is safe to say that, generally, limited personal use is about doing some occasional online shopping or travel booking or paying some bills. The act must be done infrequently, must not consume excessive resources, and must not violate any legal or ethical requirements.
Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCPis the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.