Write a Policy
Step No. 3: Write a policy
Once you have decided what is and isn't acceptable use, the creation of a written policy is fairly straightforward. However, there are three best practices to keep in mind:
1. Use clear and nontechnical language
Nontechnical users, for example, are often unaware of how their activities impact bandwidth, how attachments over Web mail might bypass corporate virus scanning, and how downloading a free screen saver can infect their computer with malware.
2. Keep it short
The shorter the policy, the greater the chance that it will be read, understood and referred in the future.
3. Stress the spirit of the law
Base your policy on simple, inviolable principles that can be seen as reasonable by both technical and nontechnical staff members. At a minimum, those principles should include the following: assessing Websites that are inappropriate (for example, violent, pornographic or hate Websites), assessing what amount of time is acceptable for personal Internet use, noting that the posting of confidential material is prohibited, defining Websites that should be avoided because of security risk or excessive demand of network bandwidth, and clearly stating what activities from which employees should refrain.
Keep in mind that the Internet is changing rapidly and it would be tedious to rewrite the policy every time a new technology or phenomenon such as Facebook presents itself as a threat. But by clearly articulating a small set of guiding principles, you will avoid having to constantly revisit and rewrite.