"Template" for handing out user & passwords for employees

security

Within this relatively small company I work for, I have been handing out usernames and passwords written very simply in a word document.

I wish for this process to be more professional now that we are expanding and quite regularly acquire new employees, to include some text stating things such as having responsibility of keeping the sensitive information for themselves, to not inflict any intentional damage to the systems, yada yada. Basic, common sense, I guess you could say "legal" stuff, is what I am looking for and then I would want the employee to finally sign a copy.

Does such a template already exist online? Are there perhaps any other recommendations as to what I otherwise could do? My last resort would probably have my boss, ceo, to have our lawyer produce something, but that would turn into a very expensive project.

Any help will be greatly appreciated!


Solution 1:

You're looking for boilerplate Acceptable Use Policy documents. I like the SANS one, but your mileage may vary. You REALLY want to run that document (or any policy) by your boss and probably legal before deploying it. Your state and/or federal requirements may be vastly different than where the template you modify was generated.

Solution 2:

This is something I think you should write yourself. You can certainly look at other AUPs to get ideas, but it should be tailored to your environment.

For myself, I find an informal, non-legalistic document to work best for a smallish company. Ours spells out a few specific things we don't want people to do, it tells them a few things they should do (e.g. where to keep what type of files), tells them when/how they should ask for help.

You do need to run it by your boss and probably other managers, but I find that if the intent is to educate people about good and bad computer use, it needn't be a big deal.

Solution 3:

I believe you are looking for an Acceptable Use Policy.

http://en.wikipedia.org/wiki/Acceptable_use_policy

Your company's administration and possibly lawyer should be involved in the creation and drafting of such a document if you have any hope of enforcing it. If it's just a formality, I say have at modifying one that you can find online.

Related

How to gzip logs created by rotatelogs
HP Microserver Mini-SAS Cable
.htaccess does not ask the password
Using tmpfs + a very large swap partition for /tmp instead of a regular filesystem?
mysqldump ignore table with wildcard
bind apache ssl port with different port with same openssl port 443
How to check a route exist between two hosts for a particular port?
Memcached listen on selected interfaces
Why do servers have SAS instead of SSDs? [closed]
Does "~all" in the middle of an SPF record signal the end of the record when it is parsed?
Centos 7/1503 -- Getting Error setting up base repository during installation
SUBST Command is Broken in Windows 10 [closed]