Contents
Overview 1
Lesson: Analyzing Risks That Users
Introduce 2
Lesson: Designing Security for Computer
Use 6

Appendix A: Designing
an Acceptable Use
Policy

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.


applications, and the network.
After completing this appendix, you will be able to:
!
Analyze risks that users introduce.
!
Design security for computer use.

Introduction
Ob
j
ectives
2 Appendix A: Designing an Acceptable Use Policy Lesson: Analyzing Risks That Users Introduce

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Every organization must decide what is acceptable behavior for users and
computers. Lax acceptable use policies may leave the organization vulnerable
to attack. However, policies that are overly restrictive may inhibit business
practices and may be subverted or ignored by employees.
After completing this lesson, you will be able to:
!
Describe an acceptable use policy.
!
Explain why an acceptable use policy is important.

Violate a user’s right to privacy. For example, your organization may want
to create a security policy that audits user passwords to ensure that they are
not easily guessable, but doing so would violate privacy laws.

Key points
4 Appendix A: Designing an Acceptable Use Policy Why an Acceptable Use Policy Is Important

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A user leaves her company-issued portable computer unattended at home while
connected to the corporate network by using a virtual private network (VPN)
tunnel. Her child approaches the keyboard and deletes critical files from the
corporate network, resulting in data loss.
An employee installs an application on his computer that is not permitted by
company policy. The application has known vulnerabilities, which an attacker
exploits to gain control of the computer. The attacker uses the computer to
attack the network.
External attacker
scenario
Internal attacker
scenario
Appendix A: Designing an Acceptable Use Policy 5

Lesson: Designing Security for Computer Use

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
An acceptable use policy encompasses computers as well as applications,
network resources, and access to the Internet. The limits that you place on user
behavior must be appropriate, realistic, and enforceable. You must also ensure
that your users are aware of the rules that you create.
After completing this lesson, you will be able to:
!
List the steps for designing an acceptable use policy.
!
Explain guidelines for acceptable use of users, computers, applications,
networks, and the Internet.

Introduction
Lesson objectives
Appendix A: Designing an Acceptable Use Policy 7 Steps for Designing an Acceptable Use Policy

*****************************
ILLEGAL FOR NON
-
TRAINER USE

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Two important acceptable use policies for users pertain to how users:
!
Manage information. To protect confidential information from exposure,
create guidelines for managing these categories of information. You may
need to further categorize information to create these guidelines. For
example, you may want to create separate guidelines for legal information
and human resources information, even though both have been categorized
as confidential.
!
Use accounts. To prevent accounts from being easily compromised by
attackers, create acceptable use policies that determine how to use accounts
and how to create and managed passwords. Because you must trust that
users handle their user accounts with due care, create training and guidance
for users on how to comply with the acceptable use policies.

Key points
Appendix A: Designing an Acceptable Use Policy 9 Guidelines for Acceptable Use of Computers and Applications

*****************************
ILLEGAL FOR NON
-
TRAINER USE

4. Use of remote access. A user may use a remote access connection to the
organization to view illicit content on the Internet.

Key points
Appendix A: Designing an Acceptable Use Policy 11 How to Define Acceptable Use of Internet Access

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Because the Internet is an untrusted network, applications that connect to the
Internet can provide direct access for attackers to your internal network.
To enforce acceptable use policies regarding Internet use, you can often
combine the policies with implementations of technical policies, such as
firewall rules and software that screens Web content.
Key points
12 Appendix A: Designing an Acceptable Use Policy Security Policy Checklist

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************