The Scenario
An SME owner approaches your IT support firm and asks for an acceptable use policy (AUP) for their 30 staff. They have no policy at all today and have just had a near-miss with a phishing attack. They want a single page that staff will actually read and that the firm could enforce in an HR conversation.
The Brief
Produce a complete AUP suitable for a SA SME, plus a short briefing note explaining the trade-offs you made. The policy must be enforceable, POPIA-aware, and credible to both technical and non-technical readers.
Deliverables
- A one-page AUP covering: scope, acceptable and unacceptable use, password policy, BYOD position, email and web monitoring disclosure, data handling, social media use, and consequences for breach
- A short briefing note (under 400 words) explaining: which clauses you kept tight and why, which you deliberately left flexible and why, and how the policy aligns with POPIA and the BCEA
- A staff-facing summary: a half-page version a manager could send to staff alongside the full policy, written in plain language
- An implementation checklist: how the SME would roll out the policy (training, sign-off, monitoring) in their first month
Submission Guidance
A good AUP balances clarity with enforceability. Vague phrases ("appropriate use of company assets") are unenforceable; over-specific lists ("no Facebook between 9 and 5") are out of date the day they ship. Aim for principles plus examples, not exhaustive rules.
Submit Your Work
Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.