HR Compliance

# Acceptable Use Policy

{{toc}}

---

## Document Control

| Field              | Details                              |

|--------------------|--------------------------------------|

| **Policy Title**   | Acceptable Use Policy                |

| **Policy Owner**   | [IT Security / CISO Name]            |

| **Approved By**    | [Executive Sponsor Name]             |

| **Effective Date** | [YYYY-MM-DD]                         |

| **Review Cycle**   | Annual (or upon significant change)  |

| **Classification** | Internal                             |

### Version History

| Version | Date       | Author          | Description of Changes           |

|---------|------------|-----------------|----------------------------------|

| 1.0     | YYYY-MM-DD | [Author Name]   | Initial policy creation          |

| 1.1     | YYYY-MM-DD | [Author Name]   | [Brief description of changes]   |

| 1.2     | YYYY-MM-DD | [Author Name]   | [Brief description of changes]   |

---

## 1. Purpose

This Acceptable Use Policy (AUP) defines the acceptable and prohibited uses of Catalyst Aviation's information systems, networks, data, and technology resources. The purpose of this policy is to protect Catalyst Aviation, its employees, partners, and clients from harm caused by the misuse of company assets and data.

This policy supports Catalyst Aviation's commitment to SOC 2 Trust Services Criteria, specifically Common Criteria CC6.1 through CC6.8 (Logical and Physical Access Controls).

---

## 2. Scope

This policy applies to:

- All employees, contractors, consultants, temporary staff, and third-party agents ("users") who access Catalyst Aviation systems or data.

- All company-owned and personal devices used to access company resources.

- All company networks, cloud environments, SaaS platforms, email systems, and communication tools.

---

## 3. General Acceptable Use

### 3.1 Acceptable Use

Company information systems are provided primarily for business purposes. Users are expected to:

- Use company systems responsibly, ethically, and in compliance with all applicable laws and regulations.

- Protect their authentication credentials and never share passwords or access tokens.

- Lock or log out of workstations when unattended.

- Report any suspected security incidents, policy violations, or vulnerabilities immediately to [IT Security Team / Helpdesk email].

- Complete all required security awareness training within designated timeframes.

### 3.2 Prohibited Use

Users must not:

- Use company systems for illegal activities, harassment, discrimination, or any purpose that violates company policy.

- Attempt to bypass, disable, or interfere with security controls, firewalls, or access restrictions.

- Install unauthorized software, browser extensions, or hardware on company-owned devices without prior IT approval.

- Access, download, or distribute obscene, offensive, or inappropriate material using company resources.

- Use company systems for personal commercial gain or to operate a personal business.

- Share, forward, or store company data in unauthorized locations or with unauthorized individuals.

---

## 4. Authentication and Access Control

- Users must use unique credentials and must not share accounts or passwords under any circumstances.

- Multi-factor authentication (MFA) is required for all systems that support it, including VPN, email, cloud platforms, and administrative consoles.

- Passwords must comply with Catalyst Aviation's Password Policy (minimum length, complexity, rotation requirements).

- Access to systems and data is granted on a least-privilege basis. Users should only request access necessary to perform their job functions.

- Users must notify IT immediately if they suspect their credentials have been compromised.

---

## 5. Data Handling and Classification

### 5.1 Data Classification Levels

All company data must be handled according to its classification level:

| Classification   | Description                                                                 | Examples                                      |

|------------------|-----------------------------------------------------------------------------|-----------------------------------------------|

| **Confidential** | Highly sensitive data; unauthorized disclosure causes significant harm      | PII, financial records, credentials, PHI      |

| **Internal**     | Internal business data; not intended for public release                     | Internal memos, project plans, org charts     |

| **Public**       | Information approved for public distribution                                | Marketing materials, published blog content   |

### 5.2 Handling Requirements

| Requirement          | Confidential                          | Internal                            | Public             |

|----------------------|---------------------------------------|-------------------------------------|--------------------|

| **Storage**          | Encrypted, access-controlled systems  | Approved company systems only       | No restrictions    |

| **Transmission**     | Encrypted in transit (TLS/VPN)        | Encrypted in transit preferred      | No restrictions    |

| **Sharing**          | Need-to-know, approved channels only  | Internal recipients only            | No restrictions    |

| **Disposal**         | Secure deletion / shredding           | Secure deletion                     | Standard disposal  |

| **Labeling**         | Required                              | Recommended                         | Optional           |

### 5.3 Data Handling Rules

- Users must not store Confidential or Internal data on personal devices, personal cloud accounts (e.g., personal Google Drive, Dropbox), or removable media unless explicitly authorized and encrypted.

- Data must not be transmitted via unencrypted channels (e.g., unencrypted email, SMS, public file-sharing services).

- Users must follow data retention and disposal schedules as defined in the Data Retention Policy.

- Any accidental exposure or loss of Confidential data must be reported immediately to [IT Security / Privacy Officer].

---

## 6. Remote Work and BYOD

### 6.1 Remote Access Requirements

- Remote access to company systems must occur through the company-approved VPN or zero-trust access solution.

- Users must ensure their home network is secured with WPA2/WPA3 encryption and a strong, unique router password.

- Work performed in public locations (e.g., cafes, airports) must use a VPN at all times; users should use privacy screens and avoid accessing Confidential data on public Wi-Fi without VPN protection.

- Remote sessions must be terminated when not actively in use.

### 6.2 Bring Your Own Device (BYOD)

Personal devices used to access company resources must meet the following minimum requirements:

- Operating system is up to date with the latest security patches.

- Device-level encryption is enabled (e.g., FileVault, BitLocker, or equivalent).

- A screen lock with a strong passcode or biometric authentication is enabled.

- Antivirus/endpoint protection software is installed and current (if applicable to the platform).

- The device must not be jailbroken or rooted.

- Company reserves the right to remotely wipe company data from personal devices upon termination or suspected compromise.

### 6.3 Physical Security

- Company-issued devices must be physically secured at all times (locked in a bag, drawer, or safe when unattended).

- Loss or theft of any device containing company data must be reported to IT within 24 hours.

---

## 7. Cloud Services and SaaS Usage

### 7.1 Approved Services

- Users may only use cloud services and SaaS platforms that have been vetted and approved by IT / Information Security.

- A current list of approved services is maintained at [link to approved software register or wiki page].

- Users must not sign up for or use unapproved cloud services to store, process, or transmit company data (commonly referred to as "Shadow IT").

### 7.2 SaaS Account Management

- All SaaS accounts must be provisioned through IT or an approved self-service process.

- Company SSO (Single Sign-On) must be used wherever supported.

- Users must enable MFA on any SaaS account that does not support SSO.

- Users must not use personal email addresses to create accounts for company business purposes.

### 7.3 Cloud Data Storage

- Company data stored in cloud platforms must reside in approved regions and comply with data residency requirements.

- Sharing permissions in cloud storage (e.g., Google Drive, SharePoint, Confluence) must follow least-privilege principles. Default sharing should be restricted to specific named individuals, not "anyone with the link."

- Users must periodically review and revoke unnecessary sharing permissions on files and folders they own.

### 7.4 Third-Party Integrations and API Access

- Connecting third-party applications or integrations to company SaaS platforms (e.g., OAuth app connections, Slack bots, browser extensions) requires prior IT Security approval.

- Users must not grant broad or unnecessary permissions to third-party integrations.

---

## 8. Email and Communications

- Company email and messaging systems (e.g., Slack, Teams) are for business use. Limited personal use is permitted provided it does not interfere with job duties or violate this policy.

- Users must not open suspicious attachments or click unverified links. Suspected phishing emails must be reported to [phishing report alias or IT Security].

- Auto-forwarding company email to external personal accounts is prohibited.

- Confidential information must not be sent via email unless encrypted or shared via an approved secure method.

---

## 9. Monitoring and Privacy

Catalyst Aviation reserves the right to monitor, log, audit, and review all activity on company-owned systems, networks, and accounts. This includes but is not limited to:

- Email and messaging content

- Web browsing activity

- File access and transfers

- VPN and remote access logs

- Cloud and SaaS activity logs

Users should have no expectation of privacy when using company resources. Monitoring is conducted in accordance with applicable laws and regulations.

---

## 10. Incident Reporting

Users are required to immediately report any of the following to [IT Security Team / Contact]:

- Suspected or confirmed security breaches or data leaks

- Lost or stolen devices containing company data

- Suspected phishing, social engineering, or unauthorized access

- Violations of this policy by any user

Reports can be submitted via [email, ticketing system, or hotline]. Good-faith reporting will not result in retaliation.

---

## 11. Enforcement and Consequences

Violation of this policy may result in disciplinary action, up to and including:

- Revocation of system access

- Formal written warning

- Suspension or termination of employment or contract

- Legal action where warranted

The severity of the response will be proportional to the nature and impact of the violation. All violations will be documented and reviewed by [HR and IT Security / Compliance Officer].

---

## 12. Policy Review

This policy is reviewed at least annually or whenever a significant change occurs in the business environment, technology infrastructure, or regulatory requirements. All material changes will be communicated to users and require re-acknowledgment.

---

## 13. Acknowledgment

By accessing Catalyst Aviation systems and resources, I acknowledge that I have read, understood, and agree to comply with this Acceptable Use Policy.

| Field                | Details             |

|----------------------|---------------------|

| **Employee Name**    | __________________  |

| **Signature**        | __________________  |

| **Date**             | __________________  |

| **Manager Name**     | __________________  |

| **Manager Signature**| __________________  |

---

## Related Policies

- Information Security Policy

- Password Policy

- Data Classification and Handling Policy

- Data Retention and Disposal Policy

- Incident Response Plan

- Remote Work Policy

- Vendor / Third-Party Risk Management Policy

---

*This document is the property of Catalyst Aviation and is classified as Internal. Unauthorized distribution is prohibited.*