U.S. Navy nails Internet usage policy

Here’s an idea to start the new year: Treat your users like sailors. Yeah, really. Right now, the U.S. Navy is putting the finishing touches on its new appropriate-use policy for IT. This policy will apply to about 900,000 users, including military personnel, civilian employees and contractors. When it goes into effect this spring, it will cover everything from PCs and networks to cell phones and fax machines, in places ranging from battle zones to bureaucrats’ offices.

In other words, the Navy’s policy will cover more users, with more diversity, in more different situations than you’ll ever need to worry about. Now that’s someplace to look for a model.

Better still, the new Navy policy shows signs of being a remarkably sane model for what users should do with IT, at least the way it’s described by Robert J. Carey, the Navy’s deputy chief information officer for policy and integration.

The main principle is that if it interferes with Navy operations, users shouldn’t do it.

And if it’s illegal or a violation of regulations or contract requirements, users shouldn’t do it.

Otherwise, it’s probably OK.

Bet your appropriate-use policy can’t be summarized that simply, can it?

Here’s another key feature of the Navy’s policy: According to Carey, personal use of Navy IT equipment is good for morale. Sending personal e-mail, surfing the Web and shopping online during breaks are all fine — as long as they don’t hog bandwidth or otherwise interfere with Navy operations.

So if the sailors, Marines and civilians who use Navy-issued IT gear make sure the Navy’s work gets done, personal use isn’t just OK — it’s actually a good thing.

That’s a truly elegant core policy. Sure, by the time it’s officially issued it will probably be spun out into endless pages of milspec jargon. But because it’s clear and simple at its core, this appropriate-use policy will likely work anyway.

That’s fine for the Navy. But can you treat your users like sailors?

The answer: Maybe.

After all, your users probably aren’t military personnel. That means precious few of them are being shot at. It also means their sense of organizational mission is different. Your users aren’t focused on defending their nation; they’re more likely concerned with defending their budgets, jobs and retirement plans. This isn’t an adventure — it’s a job.

So if your company’s culture is such that you really can’t trust users to stay focused on the corporate mission, then a working principle like “Don’t do it if it interferes with business” probably won’t do much good. (If your users are that unfocused and untrustworthy, maybe you should be looking for a new place to work, not just a better appropriate-use policy.)

But chances are, your users stay focused mostly on business. So having a simple, common-sense principle at the core of your acceptable-use policy will work fine.

Instead of long lists of what is and isn’t acceptable — lists you’re forever lengthening to close new loopholes — you’ll have a few simple tests for non-work-related IT use. Is it illegal? Is it on company time? Does it interfere with business?

Those are tests that business-side managers can understand. Even your chief executive officer can grasp them. Users who require micromanagement won’t like this approach, but everyone else will get it. They can even enforce it themselves, so you don’t have to play policy cop.

That’s the other advantage of a Navy-style appropriate-use policy: It’s not us or them, IT vs. users. It’s all about staying focused on what’s important to the business.

So we might as well try treating our users like sailors. After all, when it comes to using IT, we’re all in the same boat.

Hayes is Computerworld U.S.’s senior news columnist.

Quick Link: 055152