Develop and disseminate_ policies_on_acceptable usagePresentation Transcript
Develop and disseminate policieson acceptable usage, security,privacy and copyrightTranslation: Create “The Fine Print”The principles most often given priority whendesigning and maintaining a website are:•ease of use aesthetics•reliability of content
Policies The quick quick bro The quick brown wn fox quick bro brown wn fox SECURI fox jum jumps ov fox jum jumps ov fox jum TY the lazy the lazy er the laz ps ov dog. Th ps over y dog. The qu er the laz e quick dog. Th ps over y dog. The qu e quick y dog. Th brown ick brown brown ick brown e quick er the laz g. The quick bro fox jum fox jum fox jum brown wn fox ps over fox jum ps ps over fox jum jum ps over the lazy ps over y dog. the laz over the the lazy dog. Th lazy do dog. the lazy ps over y dog. the laz e g. The dog. Th e brown lazy do over the The quick wn fox jumpsOther key factors determine what quick bro PRIVACYcontent can be added and how it is The quick bro quic k brown wn fox jumps over fox jumps the over the lazy lazy dog. The quick dog. The quic brown The quick brown fox k brown fox fox jumps over the lazy quick brown jum ps ove jumps ove dog. The fox jumps r the lazy dog r the lazy . The dog. over the lazy dog. The quic quic k brown fox jumto be handled. These are defined The quick k brown fox ps over the bro lazy quick brown wn fox jumps over the jumps ove r the lazy dog dog. The fox jum ps lazy dog. The . over the lazy quic k brown dog. The quic fox jumps k brown fox over the lazy jumps ove dog. The r the lazy dog. BL Ethrough policies including: A CCEPTA USAGE e dog. Th the lazy ps over y dog. fox jum laz ick brown over the2.acceptable usage g. The qu wn fox jumps e lazy do bro y dog. Th ps over the dog. The quick ps ov er the laz g. fox jum the lazy fox jum y do brown ps over brown er the laz The quick fox jum e quick jumps ov brown the laz y dog. Th wn fox dog. Th e quick ps over y dog. The qu ick bro the lazy fox jum ps over y dog. brown laz fox jum the laz over the brown The quick wn fox jumps e quick fox jum ps over dog. Th quick bro the lazy ick brown ps over y dog. The qu fox jum brown er the laz The quick jumps ov wn fox quick bro3.privacy COPYRIGHT The quick brow quic k brow n fox jumps4.copyright n fox jumps over the lazy over the lazy dog. The quic dog. The quic k brown fox The quick brow k brown fox jumps over jumps over the lazy dog n fox jumps the lazy dog . The quick brow over the lazy . n fox jumps dog. The quic over the lazy k brown fox dog. The quic jum ps over The quic k brow k brown fox the lazy dog n fox jumps jumps over . The quick brow over the lazy the lazy dog n fox jumps dog. The quic . over the lazy k brown fox dog. The quic jumps over k brown fox the lazy dog jum ps over . The the lazy dog .5.security
1. Acceptable Usage Policy The quick ACCEPTAB USAGE PO The quick bro bro LE LICY quic k brown wn fox jumps over fox jumps the over the lazy lazy dog. The quick quick brown wn fox jum ps over dog. The quic brown k brown fox fox jumps over the lazy jumps ove r the lazy dog. The fox jumps the lazy dog dog. over the lazy . The dog. The quic quic k brown fox jum The quick k brown fox ps over the bro lazy quick brown wn fox jumps over the jumps ove r the lazy dog dog. The quic k brown fox jum ps over the lazy lazy dog. The quick . fox jumps brown fox brown fox over the lazy dog. The The quick jumps ove r the lazy jumps ove dog. The quic brown k brown fox fox jumps over the lazy dog. The• An acceptable usage policy (AUP) r the lazy dog. jumps ove The quick r the lazy dog. The brown fox dog. The quic quic k brown jumps ove k fox jumps r the lazy over the lazy dog. The quic dog. The quic k brown fox The quick k brown fox jumps ove bro r the lazy quic k brown wn fox jumps over jumps ove r the lazy dog. The fox jumps the dog. over the lazy lazy dog. The quick dog. T brown fox jumps ove r the lazy dog. The is a set of rules and guidelines that govern how a website can and should be used.• Such policies are often intended to reduce the legal risk of the misuse of a website.• An AUP can also enable action to be taken against a party that has misused a website.
Target AudienceWebsites are accessed and used bya wide range of people, including:•public visitors•business partners•internal staff•website developers/designers.
Catering to the Target AudienceFor example,• Website developers will be able to modifywebsite content. Their AUP must explicitlystate the correct procedures to follow whenchanging content.•A public visitor, however, will generally notchange content and the AUP should state thisto protect against malicious users intent onediting content.
EnforcementAUPs must balance the need(ii)to enforce users to view and accept the policy(iii)to ensure that this process does not to hinder theusability of a website.Common methods used to deliver AUPs and otherpolicies to users:•provide links to policies on every web page•require internal staff to sight and sign the AUP beforea user account is created•generate a message which reiterates key parts of theAUP when users login to a secured section
A key part of enforcing the AUP is tomonitor misuse and take action against it.• Actively monitoring web server statistics and event logs• These statistics/logs can point to suspicious activity, such as large amounts of uploads or downloads or a higher than normal number of unauthorised attempts to access secure sections.• Statistics can be monitored automatically, with automatic alerts sent when pre- established thresholds are crossed.
Taking Action Against MisuseIf the AUP is to be effective, action must be takenagainst any misuse.Typically, consequences are on an escalating scale. Forexample, you might:•issue a warning, demanding that the misuse stop andoutline possible further action•suspend a user’s access to a website and its services•terminate a user’s access to a website and its services•place a financial burden on the user/s to pay foradministrative costs, account reactivation etc•commence legal action against user/s.
Sample Acceptable Use PolicyAAPThttp://www.aapt.com.au/Acceptable-use-policy
2. Privacy The quick The quick The quick quic k brown brown fox fox jumps bro bro brown fox fox jumps jumps ove over the lazy PRIVACY quick brown wn fox jum ps over the fox jumps over the lazy quic k brown wn fox jumps over the fox jumps over the lazy jumps ove r the lazy lazy dog. The dog. The quic lazy dog. The dog. The quic r the lazy over the lazy dog. The quic dog. The quic dog. The dog. The quic quick brown fox k brown fox quic k brown k brown fox quick brown k brown fox k brown fox fox jumps jumps ove fox jumps jumps ove k brown fox over the lazy r the lazy dog dog. The over the lazy r the lazy jumps ove jumps ove jumps ove dog. r the lazy r the lazy . dog. The dog. The dog. The quic The quick jumps ove r the lazy k brown fox jumps ove r the lazy dog dog. The quic k bro quick brown r the lazy . wn fox jumps dog. The quic over the lazy k brown fox The quick dog. The quic jumps ove brown fox k brown fox r the lazy dog quick brown jumps ove jum ps ove . The fox jumps r the lazy r the lazy dog. The quic dog. over the lazy k brown fox dog. The quic jumps ove k brown fox r the lazy jumps ove r the lazy dog dog. The .Privacy can be defined as theability to control who can andcannot see information and underwhat terms. That informationincludes the identity of the personor organisation.
What information is collected? How will it be used?• Users must be confident that the personal and financial information they provide will be handled confidentially and be clear as to how the information will be used.
What is the difference between privacy and security? They are related but have one essentialdifference:•If confidential data is uncovered that does notidentify persons or organisations, then asecurity breach has occurred•If the data does reveal the identity of personsor organisations then it becomes a privacybreach.
What information is collected?• Whenever you visit a website the web server logs information such as:• IP address• type of browser• operating system• ISP• screen resolution• plug-ins used• what pages you visited• how long you stayed there• what website you came from.This information is very useful for web designers/developers but does not in itself pose a great privacy risk as there is no name or recognisable form of identification.
Collection of Sensitive Information• If you wish to purchase goods or services online or download ‘member’ data, it is highly likely that you will be asked to complete an online form asking for your details. Much of this data is unrelated to using a service, or fulfilling an online purchase.• By combining data about your behaviour on a website with your personal information, you are vulnerable to unwanted marketing from sources such as spam emails. – In severe cases you may even be the victim of identity theft, where a malicious user assumes your identity. Once they have assumed your identity they may purchase products and services using your credit card details and misrepresent or deface your online presence.
COPYRI Copyright Policy The quick quick bro brown fox jum The quick The quick wn fox quick bro brown fox jum wn fox jumps ove quick bro brown fox jum wn ps ps jumps ove over the lazy r the laz ps over the dog. y dog. Th The quick bro e quick r the laz lazy dog. The qu brown fox fox jumps ove over the lazy do y dog. Th e quick ick brown GHT wn brown fox fox jum ps ove jumps ove brown fox fox jumps ove jumps ove r the laz r the laz r the y dog. y dog. Th e jumps ove r the g. Th r the laz lazy dog. The y dog. fox jum ps over r the laz lazy dog. The e quick brown y dog. Th qu fox jum the lazy e quick ick brown fox ps dog. Th e quick bro jumps ove over the lazy do The quick brown fox wn fox jumps g. The quick bro brown fox jum jumps ove over the r the lazy dog. lazy dog. The wn fox ps jumps ove over the lazy r the laz y dog. The quick quick r the laz dog. Th brown The quick y dog. Th e quick brown quick bro brown fox jum e quick brown fox fox jum ps ove wn fox ps r the laz jumps ove over the lazy jumps ove r the laz y dog. Th r the laz dog. e y dog. Th The quick bro y dog.• The use of a copyright policy is e quick wn brown fox fox jumps ove jumps ove r the r the laz lazy dog. The y dog. designed to give protection to the website owner from the misuse of their intellectual property.• Online information is very easy to reproduce and re-transmit.• A copyright policy helps an organisation assert their rights over how their material is published, copied, distributed, adapted etc.
Creative Commons (CC).• Not all copyright is designed to prevent visitors from using, redistributing and adapting content. One approach is the use of CC allows you to open up copyright restrictions• . Allowing users greater access to material fosters a greater sense of community and good will which ultimately promotes the organisation.
What does a copyright policy cover?• Copyright policies should cover:• trademarks—logos, slogans, product names etc• web page text• images• audio• video• document downloads• software downloads• data stored in backend databases.
What should be included in a copyright policy?For general copyright policies they should include the following:•who owns the copyright to the material on the website – note thatcopyright may belong to a number of different contributors•what the copyright policy allows—reproduction, adaptation, re-distribution etc•whether permission is required to do any of the above and how toobtain it•what the copyright policy does not allow•a warning regarding uploading of copyright material to the website ifthis facility is available•a disclaimer to help protect from copyright material accidently hostedon the website•acknowledgments of any copyright material used with permission•what can be done if a copyright breach is suspected.
TY SECURI g. The Security Policy lazy do ver the fox jumps o e lazy dog. The k brown ver th . The The quic n fox jumps o r the lazy dog row ve . quick b x jumps o r the lazy dog rown fo ps ove quick b fox jum The quick brown e la zy dog. over th og. The fo x jumps lazy d k brown ver the . The The quic n fox jumps o r the lazy dog row ove g. quick b x jumps ver the lazy do rown fo o quick b x jumps og. The rown fo e lazy d quick b over th x jumps The zy dog. e• Online content provides ready access to data and fo la k brown ver the . Th The quic n fox jumps o r the lazy dog row ove g. quick b x jumps ver the lazy do rown fo o quick b x jumps rown fo quick b services. Increased access, however, requires increased security to safeguard personal or restricted information. A security policy is a must when the website provides sensitive information.• Usually security policy is covered by the AUP . However, for website policies covering groups such as website designers and developers, security issues become very important and warrant specific mention. Often these specific security issues are included in an organisation’s general IT security policy.
Security items that should be coveredinclude:• user names, passwords and logins to be kept confidential• All known incidences of security breaches or• suspicion that you have access to material from which you should be blocked must be reported.
Direct access to Website ContentFor users such as web designers with direct access towebsite content, you should include more specificsecurity items, such as:•new or modified content to be uploaded only oversecure channels—specify accepted encryption andsecurity techniques•web pages or services requiring visitor data such asusernames and passwords to be designed to transmitthis data over secure channels•Only include content that does not pose a security riskto the organisation
Access• Sites and pages designed so as to maintain levels of authorised access• Website systems to be monitored for misuse and security breaches• Levels of authorised access for any locally stored or archived material from the website—including printouts and emails— to be maintained• Guidelines to be provided for the website file, folder and database structure, to ensure that sensitive data is in access controlled locations• Guidelines to be provided to ensure that all appropriate checks and sign-offs are done prior to making changes live.
Enforcement of Security Policy• As with an AUP, a security policy is only as powerful as its enforcement.• Web designers and developers involved in uploading content to a website will need to have a sound understanding of the security technologies in use. It may be necessary to provide training and standards documentation in addition to any security policies.Security technologies may include:• encryption—private key, public key etc• FTPS and SFTP• TLS and SSL• digital signatures and certificates.
Obtaining a BalanceAll of the policies mentioned - AUP, security,privacy and copyright - should balance theinterests of the website owner and its visitors.•For owners, the policies are designed toprovide protection and communicate theirposition.• For visitors, the policies should help them beaware of their rights and responsibilities andinstil trust and confidence that the website willprotect their interests.