HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q It is very common for many organisations to have policies on acceptable use of systems, applications and other resources. Often such policies have a tenet stating that limited personal use is allowed. How do you define ‘limited personal use’? How do you determine that someone has exceeded the permitted limit? Can any metrics be used to determine whether someone exceeds acceptable limits?

Do you have suggestions in terms of how to make the ‘acceptable-use policy’ slightly more prescriptive, with a set of controls rather than cryptic statements stating that limited personal usage is allowed?

A Brilliant question, although it does not have an easy answer.

Let us start with a few real-life examples. A CEO of a well-known Irish bank was sacked for exceeding the limit of acceptable personal use of his bank-funded Internet facilities. Whilst on a business trip, sitting in his hotel and using his bank-provided laptop, he browsed some escort-related web sites. Once this became known to the bank, he lost his job. What if the same person had used his employer-provided mobile phone to make calls to an escorting agency? Would it have meant violation of the bank’s policy on acceptable use of bank-provided devices and equipment? Or, did it become an issue because the trail left on the laptop was more obvious than some obscure telephone numbers?

In another case, a mayor of a large US city landed in a controversy when more than 14,000 text messages exchanged with one of his colleagues, with whom he had had an illicit affair, became public. At least, in this case, it can be said that the mayor committed an unacceptable act of moral turpitude and landed himself in trouble. Of course, in the process, he used his employer-provided equipment to send 14,000-plus text messages.

Gambling is deemed illegal in some countries, whereas it is perfectly legal in others. So, if an employee chooses to enter a gambling web site, he may be violating the law of the land, in the first place. No employer will tolerate an employee indulging in something illegal. The same act might be considered acceptable in countries in which the law does not expressly forbid gambling. It can be an act of immorality, depending on the value system, but it may not be illegal in the eyes of the law.

Any act of browsing that crosses the acceptable law of the land can fall under ‘limited personal use’.

The following parameters can be used to define the limits of acceptability:

  • Personal use of business-owned or business-provided resources must not involve something illegal. Once someone crosses the boundaries set by law, even a small amount of personal use cannot be justified.
  • The usage must not result in loss of productivity. Employees are paid to do a job, and expectations are set clearly on the quantum and quality of their deliverables. If employers see a downtrend in both the quantity and quality of an employee’s deliverables, browsing the Internet during normal business hours, setting aside or according low priority to assigned work can be a possible reason for such decreases.
  • Any act of personal use of company equipment must not result in excessive consumption of other resources, again leading to potential business impact, e.g., causing the systems to be slow or less responsive. Bandwidth consumption due to excessive browsing of videos on the Internet might be an issue, for example. This is particularly valid in some countries in which Internet bandwidth is both costly and a scarce resource.
  • Company resources must not be put to use to do something that can be deemed unethical. For example, using employer-provided e-mail systems to aid insider trading. Such scenarios do not fall under limited-personal-use criteria.
  • Any act of moral turpitude using company resources is unacceptable. See the previous example.
  • Imagine a scenario in which an employee uses his company-provided e-mail ID to post some material or content on the Internet that could be deemed offensive, e.g., committing an act of racial or sexual discrimination. In such a case, the act of the employee can potentially defame the company as well, and have detrimental impact on its brand.

The point is that it is not always about excessive use of company resources. Even a personal act of an employee using company resources can land its employer in trouble. Let us take an actual incident that occurred in the UK:  When an employee quit a law firm, her previous boss wrote an e-mail to his colleague stating that she could be replaced with a ‘busty blonde’. The person who left the organisation somehow got hold of this e-mail, and, as a result, the company paid thousands of UK pounds in damages.

Each organization may have its own definition of ‘limited personal use’, but it is safe to say that, generally, limited personal use is about doing some occasional online shopping or travel booking or paying some bills. The act must be done infrequently, must not consume excessive resources, and must not violate any legal or ethical requirements.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.