One day a manager was reading about security risks due to employee negligence or mistakes. She believes that CSI’s current acceptable

The two screenshots I submitted cover whats entered below, it might be easier to read/view there

Chattahoochee Software Initiative: An inspired company with an uninspired name.
CSI is classified as an SMB (Small and Midsized Businesses; 10 – 500 employees) and specializes in writing security utilities and security educational apps primarily for mobile platforms although apps for the Windows Store are being prototyped. The flagship apps targeted Bluetooth: CSI wrote an Android and IOS (Apple) app that could scan the host phone for critical Bluetooth vulnerabilities. They followed up with an app that enabled phones to scan for Bluetooth-enabled credit card skimmers in ATMs and fuel pumps. CSI also markets educational apps to train non-technical people about mobile security risks.

The IT infrastructure is managed in-house, and all equipment is supplied by the company although employees are allowed to use their personal smartphones for email. (CSI does not like BYOB.) Since the company is small, there is not a separate IT security staff so server and network administrators are responsible for security.

The network is segmented, meaning that different company functions are separated from each other. The software development environments are protected to prevent code that is not thoroughly tested from entering a production environment. There are policies and procedures in place to move software from development to test and then to production.

The company population is primarily developers and testers, with a few executives focused on managing and growing the company. A small help desk manages internal and external customers, and a small IT staff keeps the infrastructure running.

One day a manager was reading about security risks due to employee negligence or mistakes. She believes that CSI’s current acceptable use policy is fairly awful and does not sufficiently address the proper use of company IT assets. The entire security policy library could use a review. She receives authorization to issue an RFP (request for proposal) for a policy library review contract.

Your Assignment
You submitted a proposal and a password standard sample earlier. You would like to win a contract to evaluate CSI’s policy framework, suggest improvements, and update/upgrade their policy library. That should keep you busy and paid for a while. Your proposal got you noticed and through round 1, and now as a finalist you are going to submit a sample Acceptable Use policy based on the sketchy information above. Again, you do not know a whole lot about the company so make some assumptions and outright guesses when writing the policy.

  1. You do not have to write any proposals. You will write a sample Acceptable Use policy personalized with CSI information (in other words, write a policy, not a template). Since the information you have about the company is incomplete, feel free to make some assumptions to fill in gaps.
  2. The policy should be usually two to four pages. It could be longer if you feel it’s necessary but don’t go overboard. We want to communicate the basics of acceptable use but without too much detail. Policies are for rules, details are for Standards documents.
  3. If some topics need more detail, you may hand them off to another document but you do not have to write that other document. Example: Your AUP may require strong passwords. Rather than take up another page with password requirements, reference a Password Standards document in your policy. (“Please refer to the company’s Password Standard” or something along that line.)
  4. Format your paper like a real policy document, not an academic paper (you know, the double spacing, strict footnote/endnote requirements, etc.), and not a PowerPoint presentation. You want to present a professional looking document. Look at some real-world examples for inspiration.
  5. Speaking of footnotes/endnotes, remember my admonitions about plagiarism (don’t). If you do need or want to quote a source, give that source credit by using footnotes/endnotes. Real policies likely won’t have those, but we need to make an exception for this.


  1. While the assignment grade will concentrate on the message and not so much on the construction, do use a spell checker / grammar checker. Ask someone trusted to read your paper for an opinion, and it’s really helpful if that person is not an IT person. You may get suggestions for including a glossary.
  2. Read some of the samples here in Blackboard and on the Internet via a search engine, and look at the characteristics of what you feel is a good paper – easy to read, introductions, acceptable uses, examples of unacceptable use, and concluding sections (e.g. enforcement, endorsement, education, glossary, signatures, etc.)
  3. And one last tip buried at the end – remember to include that statement about violation of federal/state/local law in your paper. That covers quite a bit of unacceptable behavior in one statement and is great protection for your client/employer.

No Comment.