James FoxShane Stuart

Danny DeselleMatt Baldwin

Acceptable Use Policies

Concept Map

LaStreichmoors’s Questions1. What kind of content is required in the AUP for our

specific industry?

2. Is an AUP necessary in our industry?

3. What are the repercussions of not having one?

4. How will the implementation of an AUP benefit LaStreichmoor Inc.?

Acceptable Use Policies

Set of rules applied by network and website owners.

Integral to information security. Restrict the ways in which the network or web-site

may be used. To protect Company's networks and equipment. To reduce the Unsolicited Commercial Email "

Spam" that is flooding Company's mail server. To protect Company and its employees from

activities that might expose them or Company to legal action.

Example.

Acceptable Use PoliciesElements A preamble

Explains why the policy is needed. A definition section

Defines key words used in the policy. A policy statement

Must tell what computer services are covered by the AUP and the circumstances under which employee/customer can use computer services.

Acceptable Use PoliciesElements Cont. An acceptable uses section

Must define appropriate employee/customer use of the computer network.

An unacceptable uses section the AUP should give clear, specific examples of what

constitutes unacceptable employee/customer use. A violations/sanctions section

should tell employee/customer how to report violations of the policy or whom to question about its application.

Acceptable Use PoliciesSpecific to Banking Security

Strict security procedures are needed in the storage and disclosure of personal information. When personal information is requested on-line, it should be ensured that the users browser encrypts it.

Cookies There should be a statement about 'cookies' is information that a

website stores on your computer so that it can remember something about you at a later time. Cookies are commonly used on the Internet and do not harm your system.

Application Information When a user applies for a product or service on the

LaStreichmoor’s Bank website, there should be a statement concerning request for personal information that is needed to process your application. The information that is provided should only be used for the purposes described at the time of your application and where applicable in the Terms and Conditions that apply to the relevant product or service.

Acceptable Use PoliciesSpecific to Banking Cont. Digital Banking

There should be banking instructions concerning the use of secure Digital Banking services, for access to the users account.

About LaStreichmoor Inc.

• Online banking resource

• Most of customers in US, but expanding globally

• Worried about the security of their customers

• To this point they do not have an AUP

• Looking to find out if an AUP

Reasons for an AUP in banking?

• To protect customers

• To protect themselves

• Way to control storage of personal information

• Control employee contact with valuable information

• Help control application information

AUP Example

• The Royal Bank of Scotland

• Protecting customers privacy

Components of RBS AUP• Security

• Ensure browser encrypts personal information

• “Secure Sockets Layer”

• Cookies

• Information a website stores about you

• Contains cookies that hold no valuable information about you

• Used in variety of ways

• Application information

• Information provided only used for purpose stated

• Digital banking instructions

• All information is confidential after you are “logged in”

• Information used for your instructions only

Is an AUP necessary in banking?

• Not necessary, but preferred!

• Banks deal with valuable information

• Must control use and storage of information

• Customers feel more comfortable with an AUP

• To be a trusted bank you need an AUP!

AUP Guidelines

A strong AUP gives strict behavioral guidelines within a company for:

Employees What behavior is allowed, both professionally and in

a personal sense Customers

Whether the company is a safe bet to do business with, and what their stance is on customer security

Also gives managers a way of enforcing ethical and behavioral violations

Ramifications of no AUP

No way of enforcing rule or law violations No real guidelines or ground rules there to

follow in the first place No protection for private, sensitive customer

information Third party or criminal infringement an issue Responsibility for online behavior is not

established

Very important issues in banking!

Example: Comcast Comcast Shuts Down Users

In August of 2007, Comcast began hearing complaints from customers who were unexpectedly being disconnected or suspended from downloading

Comcast reported that they had a bandwidth limit, and customers that continuously exceeded the bandwidth limit were suspended for up to a year

The company would send a warning to the customer to cut back on the amount of downloading

Unfortunately, the phantom limit was not stated in Comcast’s AUP, leaving them open to lawsuits from customers

LaStreichmoor’s AUP StatementThe AUP policy should:

Protect company resources Limit liability outside of what is expressed in the AUP Establish a strong code of conduct for customers and

employees Make sure customers are well informed of the best

way to ensure their own protection Take measures to prevent against third party invasion Be updated consistently to keep up with current

standards

Benefits of AUP Customer Security:

Ensures customer that their cookies will not contain confidential information

Lets the customer know there information will be secure and what methods of encryption will be used

Allows the customer to feel confident when conducting banking online with company.

Benefits of AUP Reduce the likelihood of legal liability

Ensures the customers knows the risks involved with online banking and is forced to accept them as terms of using the service

Makes the customer agree to safe procedures in case there is a problem with confidentiality

Our Recommendations

LaStreichmoor should implement an AUP

Follow model put forth by other banks AUP will ease the minds of customers Will make their bank more trustworthy Also will help take preventative

measures to prevent identity theft Keep AUP consistently updated

Sources

http://en.wikipedia.org/wiki/Acceptable_Use_Policy

http://www.education-world.com/a_curr/curr093.shtml

http://www.rbs.co.uk/corporate/electronic-services/g3/secure-messaging/aup.ashx