How to build an Acceptable Use Policy for credit union IT systems

A challenge for credit unions today is giving employees the ability to be productive and use the many resources available on both their internal network and on the internet, while still ensuring IT security. While there are tools in place to allow for IT departments to control the who, what, where and when of the data available (think: web filtering, spam filtering, access controls, etc.), the fact of the matter is, there is always the human element that is outside the control of those tools.Your users play a significant role in ensuring IT Security, and it’s best not to assume that common sense will always prevail.  For this reason, Acceptable Use Policies for your IT Systems should be well documented and thought out… not only to satisfy regulatory requirements, but to be put to use to educate your employees.

Here are some basic components of an Acceptable Use Policy:

1. The Introduction: This should not be glossed over.  In your introduction, you should lay out exactly the specifics of your company (name/location/contact), and who the policy is intended for and why it is in place. State why adherence to the policy is important, and what are the repercussions if not followed.
2. Definitions: Again, this section may seem more like information to satisfy examiners, but it also is helpful to educate employees on terminology they may not be familiar with. Who are “Users” in your company?  Is it just employees, or do you have third party contractors that can quickly become a liability if they violate the policy? And it is important to lay out what “IT Systems” are covered in the policy.  IT is more than just a laptop. Be sure to discuss the coverage, which may include any cell phones or tablets (BYOD) that employees may bring on to your network.
3. Scope: In this section, be sure to state the limitations of the policy.  For example, “This policy covers only internal use of ABC Credit Union’s, and does not cover use of our products or services by customers or other third parties.” This is also where you point out the scope of policy as it relates to CUNA and FFIEC regulations, and any other local laws and regulations that may supersede the policy. Clearly state the persons or department responsible for ensuring this policy meets the regulations and is within scope.
4. Use of IT Systems: Now we get to the meat of the policy.  Detail what is acceptable use of each system that is covered, from servers, to desktops, to laptops, teller machines, phone systems, wifi available at your branches, etc. Detail what applications can be used or shouldn’t be used. Clearly state that your systems are being monitored and any information on your systems, including email exchanges, are the property of your credit union, and you reserve the right to audit the data.
5. Data Security: Here is where you specifically outline what steps employees need to take and what are the expectations for each of them to protect your data.  Outline your password policy. Detail what information on your network needs to be encrypted or secured. Discuss the responsibility of the end user for keeping laptops safe and in working order. Clearly state who is responsible for monitoring and overseeing that data security practices are being upheld.
6. Unacceptable Use: Give your employees some credit here, and state that they should use their best judgment when determining appropriate use, however, here is your chance to very precisely define what end users should NOT be doing on your network. Of course, quickly discredit all illegal activities.  You may wish to consider prohibiting some or all staff from posting anything about your credit union on social media, or using social media at all while at work. Let them know this is subject to change as new technologies emerge.
7. Enforcement: Simple and straight forward. What is the result of violations of this policy?  Is it immediate termination?  Is it based on the scale and intent of the offense?

This is only a brief overview of some of the major components of a policy. If you have a legal department to assist you or to review your policies, this is always sound practice. If you need some help in drafting an IT policy, trust a managed service provider who specializes in the credit union industry to craft the appropriate policies and procedures for your environment.