Develop and disseminate_ policies_on_acceptable usage
1. Develop and disseminate policies
on acceptable usage, security,
privacy and copyright
Translation: Create “The Fine Print”
The principles most often given priority when
designing and maintaining a website are:
•ease of use aesthetics
•reliability of content
2. Policies The quick
quick bro
The quick
brown
wn fox
quick bro
brown
wn fox
SECURI
fox jum
jumps ov
fox jum
jumps ov
fox jum
TY
the lazy
the lazy
er the laz
ps ov
dog. Th
ps over y dog. The qu
er the laz
e quick
dog. Th
ps over y dog. The qu
e quick
y dog. Th
brown
ick brown
brown
ick brown
e quick
er the laz g. The quick bro
fox jum
fox jum
fox jum
brown
wn fox
ps over
fox jum
ps
ps over
fox jum
jum ps over
the lazy
ps over y dog.
the laz
over the
the lazy
dog. Th
lazy do
dog.
the lazy
ps over y dog.
the laz
e
g. The
dog. Th
e
brown lazy do
over the
The quick wn fox jumps
Other key factors determine what
quick bro
PRIVACY
content can be added and how it is
The quick
bro
quic k brown wn fox jumps over
fox jumps the
over the lazy lazy dog. The quick
dog. The quic brown
The quick
brown fox k brown fox fox jumps over the lazy
quick brown jum ps ove jumps ove dog. The
fox jumps r the lazy dog r the lazy
. The dog.
over the lazy
dog. The quic quic k brown fox jum
to be handled. These are defined
The quick k brown fox ps over the
bro lazy
quick brown wn fox jumps over the jumps ove
r the lazy dog dog. The
fox jum ps lazy dog. The .
over the lazy quic k brown
dog. The quic fox jumps
k brown fox over the lazy
jumps ove dog. The
r the lazy
dog.
BL E
through policies including: A CCEPTA
USAGE
e
dog. Th
the lazy
ps over y dog.
fox jum laz
ick brown over the
2.acceptable usage
g. The qu wn fox jumps e
lazy do bro y dog. Th
ps over the
dog. The quick ps ov er the laz g.
fox jum the lazy fox jum y do
brown ps over brown er the laz
The quick fox jum e quick jumps ov
brown the laz y dog. Th wn fox dog. Th
e
quick
ps over y dog. The qu
ick bro the lazy
fox jum ps over y dog.
brown laz fox jum the laz
over the brown
The quick wn fox jumps e quick fox jum
ps over
dog. Th
quick bro the lazy ick brown
ps over y dog. The qu
fox jum
brown er the laz
The quick jumps ov
wn fox
quick bro
3.privacy COPYRIGHT
The quick brow
quic k brow n fox jumps
4.copyright
n fox jumps over the lazy
over the lazy dog. The quic
dog. The quic k brown fox
The quick brow k brown fox jumps over
jumps over the lazy dog
n fox jumps the lazy dog . The
quick brow over the lazy .
n fox jumps dog. The quic
over the lazy k brown fox
dog. The quic jum ps over
The quic k brow k brown fox the lazy dog
n fox jumps jumps over . The
quick brow over the lazy the lazy dog
n fox jumps dog. The quic .
over the lazy k brown fox
dog. The quic jumps over
k brown fox the lazy dog
jum ps over . The
the lazy dog
.
5.security
3. 1. Acceptable Usage Policy The quick
ACCEPTAB
USAGE PO
The quick
bro
bro
LE
LICY
quic k brown wn fox jumps over
fox jumps the
over the lazy lazy dog. The quick
quick brown wn fox jum ps over
dog. The quic brown
k brown fox fox jumps over the lazy
jumps ove
r the lazy dog. The
fox jumps the lazy dog dog.
over the lazy . The
dog. The quic quic k brown fox jum
The quick k brown fox ps over the
bro lazy
quick brown wn fox jumps over the jumps ove
r the lazy dog dog. The
quic k brown fox jum ps over the lazy lazy dog. The quick .
fox jumps brown fox
brown fox over the lazy dog. The The quick jumps ove
r the lazy
jumps ove dog. The quic brown
k brown fox fox jumps over the lazy dog. The
• An acceptable usage policy (AUP)
r the lazy
dog. jumps ove
The quick r the lazy dog. The
brown fox dog. The quic
quic k brown jumps ove k
fox jumps r the lazy
over the lazy dog. The quic
dog. The quic k brown fox
The quick k brown fox jumps ove
bro r the lazy
quic k brown wn fox jumps over jumps ove
r the lazy dog. The
fox jumps the dog.
over the lazy lazy dog. The quick
dog. T brown fox
jumps ove
r the lazy
dog. The
is a set of rules and guidelines
that govern how a website can and
should be used.
• Such policies are often intended to
reduce the legal risk of the misuse of
a website.
• An AUP can also enable action to be
taken against a party that has
misused a website.
4. Target Audience
Websites are accessed and used by
a wide range of people, including:
•public visitors
•business partners
•internal staff
•website developers/designers.
5. Catering to the Target Audience
For example,
• Website developers will be able to modify
website content. Their AUP must explicitly
state the correct procedures to follow when
changing content.
•A public visitor, however, will generally not
change content and the AUP should state this
to protect against malicious users intent on
editing content.
6. What should an AUP contain?
An AUP may be called other names such as ‘usage policy’,
‘conditions of use’, ‘terms of use’ etc.
All AUPs should contain the following:
•Concise, clear statements that avoid ambiguity or legal jargon
•An outline of the intention of the website and services offered
•Explicit statements about what users are allowed to do and not
allowed to do - often referred to as the ‘code of conduct’
•Cross-links with other relevant policies
•A description of action to be taken if the policy is breached
•Disclaimers, to help protect from misuse and errors or omissions
within the website’s content.
7. Enforcement
AUPs must balance the need
(ii)to enforce users to view and accept the policy
(iii)to ensure that this process does not to hinder the
usability of a website.
Common methods used to deliver AUPs and other
policies to users:
•provide links to policies on every web page
•require internal staff to sight and sign the AUP before
a user account is created
•generate a message which reiterates key parts of the
AUP when users login to a secured section
8. A key part of enforcing the AUP is to
monitor misuse and take action against it.
• Actively monitoring web server statistics
and event logs
• These statistics/logs can point to suspicious
activity, such as large amounts of uploads
or downloads or a higher than normal
number of unauthorised attempts to access
secure sections.
• Statistics can be monitored automatically,
with automatic alerts sent when pre-
established thresholds are crossed.
9. Taking Action Against Misuse
If the AUP is to be effective, action must be taken
against any misuse.
Typically, consequences are on an escalating scale. For
example, you might:
•issue a warning, demanding that the misuse stop and
outline possible further action
•suspend a user’s access to a website and its services
•terminate a user’s access to a website and its services
•place a financial burden on the user/s to pay for
administrative costs, account reactivation etc
•commence legal action against user/s.
11. 2. Privacy The quick
The quick
The quick
quic k brown
brown fox
fox jumps
bro
bro
brown fox
fox jumps
jumps ove
over the lazy
PRIVACY
quick brown wn fox jum ps over the
fox jumps
over the lazy
quic k brown wn fox jumps over the
fox jumps
over the lazy
jumps ove
r the lazy
lazy dog. The
dog. The quic
lazy dog. The
dog. The quic
r the lazy
over the lazy dog. The quic
dog. The quic
dog. The
dog. The quic quick brown fox
k brown fox
quic k brown
k brown fox
quick brown
k brown fox
k brown fox
fox jumps
jumps ove
fox jumps
jumps ove
k brown fox
over the lazy
r the lazy dog dog. The
over the lazy
r the lazy
jumps ove
jumps ove
jumps ove
dog.
r the lazy
r the lazy
.
dog. The
dog. The
dog. The quic
The quick jumps ove r the lazy k
brown fox
jumps ove r the lazy dog dog. The quic k bro
quick brown r the lazy . wn
fox jumps dog. The quic
over the lazy k brown fox
The quick dog. The quic jumps ove
brown fox k brown fox r the lazy dog
quick brown jumps ove jum ps ove . The
fox jumps r the lazy r the lazy
dog. The quic dog.
over the lazy k brown fox
dog. The quic jumps ove
k brown fox r the lazy
jumps ove
r the lazy dog dog. The
.
Privacy can be defined as the
ability to control who can and
cannot see information and under
what terms. That information
includes the identity of the person
or organisation.
12. What information is collected?
How will it be used?
• Users must be confident that the personal and
financial information they provide will be
handled confidentially and be clear as to how
the information will be used.
13. What is the difference between privacy and
security?
They are related but have one essential
difference:
•If confidential data is uncovered that does not
identify persons or organisations, then a
security breach has occurred
•If the data does reveal the identity of persons
or organisations then it becomes a privacy
breach.
14. What information is collected?
• Whenever you visit a website the web server logs information such
as:
• IP address
• type of browser
• operating system
• ISP
• screen resolution
• plug-ins used
• what pages you visited
• how long you stayed there
• what website you came from.
This information is very useful for web designers/developers but does
not in itself pose a great privacy risk as there is no name or
recognisable form of identification.
15. Collection of Sensitive Information
• If you wish to purchase goods or services online or
download ‘member’ data, it is highly likely that you will be
asked to complete an online form asking for your details.
Much of this data is unrelated to using a service, or fulfilling
an online purchase.
• By combining data about your behaviour on a website with
your personal information, you are vulnerable to unwanted
marketing from sources such as spam emails.
– In severe cases you may even be the victim of identity theft,
where a malicious user assumes your identity. Once they have
assumed your identity they may purchase products and services
using your credit card details and misrepresent or deface your
online presence.
16. Implications
• What does all of this mean? When writing a
privacy policy you should keep the interests of
your website visitors as a high priority.
Maintaining visitor trust will ensure that users
feel comfortable returning to and maintaining
a relationship with your website.
17. What should a privacy policy contain?
• The content of a privacy policy can vary
greatly. Usually this is determined by the type
of content on the website and the type of
industry the website is representing.
18. Low Risk Websites
• Basic websites that don’t require any personal
or financial data are at low risk of the misuse
of private information and therefore need
only a relatively simple privacy policy.
19. Higher Risk Websites
• Websites that require users to sign-in/logon
have a greater risk of private information
being misused and therefore require a more
detailed privacy policy.
• Websites that handle online financial
transactions pose the greatest privacy risk for
the typical visitor. Not only could their
personal information be misused but they
could suffer financial loss.
20. Industry Specific Legislation
• The type of industry also has an impact on the
level of privacy and security and the specifics of
the privacy policy.
• For example, in the banking and medical
industries, there are specific legislative and duty-
of-care requirements which directly impact on
the formulation of their privacy policies
• No matter what your specific privacy
requirements, all privacy policies should include
some basic features
21. What to include in the Privacy Policy
• a statement of commitment to visitor privacy
• an outline of what information is collected
• how this information is stored and for how long
• what the organisation plans to do with this
information
• what you will not do with the information
• whether or not the information will be shared with
other parties
• how cookies will be used
• how to change personal information
• how the privacy policy is updated.
23. COPYRI
Copyright Policy The quick
quick bro brown fox jum
The quick
The quick
wn fox
quick bro brown fox jum
wn fox
jumps ove
quick bro brown fox jum
wn ps
ps
jumps ove over the lazy
r the laz
ps over
the
dog.
y dog. Th The quick bro
e quick
r the laz lazy dog. The qu
brown fox fox jumps ove over the lazy do
y dog. Th
e quick
ick brown
GHT
wn
brown fox fox jum ps ove
jumps ove
brown fox fox jumps ove
jumps ove
r the laz
r the laz
r the
y dog.
y dog. Th
e
jumps ove r the g. Th r the laz lazy dog. The
y dog.
fox jum
ps over r the laz lazy dog. The e quick brown
y dog. Th qu fox jum
the lazy e quick ick brown fox ps
dog. Th
e quick bro jumps ove over the lazy do
The quick brown fox wn fox jumps g. The
quick bro brown fox jum jumps ove over the r the lazy dog.
lazy dog. The
wn fox ps
jumps ove over the lazy
r the laz
y dog. The quick quick
r the laz dog. Th brown
The quick y dog. Th e quick
brown
quick bro brown fox jum e quick
brown fox fox jum ps ove
wn fox ps r the laz
jumps ove over the lazy jumps ove
r the laz y dog. Th
r the laz dog. e
y dog. Th The quick bro y dog.
• The use of a copyright policy is
e quick wn
brown fox fox jumps ove
jumps ove r the
r the laz lazy dog. The
y dog.
designed to give protection to the website
owner from the misuse of their intellectual
property.
• Online information is very easy to
reproduce and re-transmit.
• A copyright policy helps an organisation
assert their rights over how their material is
published, copied, distributed, adapted etc.
24. Creative Commons (CC).
• Not all copyright is designed to prevent
visitors from using, redistributing and
adapting content. One approach is the use
of CC allows you to open up copyright
restrictions
• . Allowing users greater access to material
fosters a greater sense of community and
good will which ultimately promotes the
organisation.
25. What does a copyright policy cover?
• Copyright policies should cover:
• trademarks—logos, slogans, product names etc
• web page text
• images
• audio
• video
• document downloads
• software downloads
• data stored in backend databases.
26. What should be included in a copyright policy?
For general copyright policies they should include the following:
•who owns the copyright to the material on the website – note that
copyright may belong to a number of different contributors
•what the copyright policy allows—reproduction, adaptation, re-
distribution etc
•whether permission is required to do any of the above and how to
obtain it
•what the copyright policy does not allow
•a warning regarding uploading of copyright material to the website if
this facility is available
•a disclaimer to help protect from copyright material accidently hosted
on the website
•acknowledgments of any copyright material used with permission
•what can be done if a copyright breach is suspected.
28. TY
SECURI
g. The
Security Policy
lazy do
ver the
fox jumps o e lazy dog. The
k brown ver th . The
The quic n fox jumps o r the lazy dog
row ve .
quick b x jumps o r the lazy dog
rown fo ps ove
quick b fox jum The
quick brown e la zy dog.
over th og. The
fo x jumps lazy d
k brown ver the . The
The quic n fox jumps o r the lazy dog
row ove g.
quick b x jumps ver the lazy do
rown fo o
quick b x jumps og. The
rown fo e lazy d
quick b over th
x jumps The
zy dog. e
• Online content provides ready access to data and
fo la
k brown ver the . Th
The quic n fox jumps o r the lazy dog
row ove g.
quick b x jumps ver the lazy do
rown fo o
quick b x jumps
rown fo
quick b
services. Increased access, however, requires
increased security to safeguard personal or restricted
information. A security policy is a must when the
website provides sensitive information.
• Usually security policy is covered by the AUP .
However, for website policies covering groups such
as website designers and developers, security issues
become very important and warrant specific
mention. Often these specific security issues are
included in an organisation’s general IT security
policy.
29. Security items that should be covered
include:
• user names, passwords and logins
to be kept confidential
• All known incidences of security
breaches or
• suspicion that you have access to
material from which you should be
blocked must be reported.
30. Direct access to Website Content
For users such as web designers with direct access to
website content, you should include more specific
security items, such as:
•new or modified content to be uploaded only over
secure channels—specify accepted encryption and
security techniques
•web pages or services requiring visitor data such as
usernames and passwords to be designed to transmit
this data over secure channels
•Only include content that does not pose a security risk
to the organisation
31. Access
• Sites and pages designed so as to maintain levels of
authorised access
• Website systems to be monitored for misuse and security
breaches
• Levels of authorised access for any locally stored or archived
material from the website—including printouts and emails—
to be maintained
• Guidelines to be provided for the website file, folder and
database structure, to ensure that sensitive data is in access
controlled locations
• Guidelines to be provided to ensure that all appropriate
checks and sign-offs are done prior to making changes live.
32. Enforcement of Security Policy
• As with an AUP, a security policy is only as powerful as its
enforcement.
• Web designers and developers involved in uploading content
to a website will need to have a sound understanding of the
security technologies in use. It may be necessary to provide
training and standards documentation in addition to any
security policies.
Security technologies may include:
• encryption—private key, public key etc
• FTPS and SFTP
• TLS and SSL
• digital signatures and certificates.
34. Obtaining a Balance
All of the policies mentioned - AUP, security,
privacy and copyright - should balance the
interests of the website owner and its visitors.
•For owners, the policies are designed to
provide protection and communicate their
position.
• For visitors, the policies should help them be
aware of their rights and responsibilities and
instil trust and confidence that the website will
protect their interests.