Acceptable Use Policy¶

• Table of contents
• Acceptable Use Policy
  • Document Control
    • Version History
  • 1. Purpose
  • 2. Scope
  • 3. General Acceptable Use
    • 3.1 Acceptable Use
    • 3.2 Prohibited Use
  • 4. Authentication and Access Control
  • 5. Data Handling and Classification
    • 5.1 Data Classification Levels
    • 5.2 Handling Requirements
    • 5.3 Data Handling Rules
  • 6. Remote Work and BYOD
    • 6.1 Remote Access Requirements
    • 6.2 Bring Your Own Device (BYOD)
    • 6.3 Physical Security
  • 7. Cloud Services and SaaS Usage
    • 7.1 Approved Services
    • 7.2 SaaS Account Management
    • 7.3 Cloud Data Storage
    • 7.4 Third-Party Integrations and API Access
  • 8. Email and Communications
  • 9. Monitoring and Privacy
  • 10. Incident Reporting
  • 11. Enforcement and Consequences
  • 12. Policy Review
  • 13. Acknowledgment
    • 13.1 Acknowledgment Process
    • 13.2 Acknowledgment Tracking
    • 13.3 Re-Acknowledgment
    • 13.4 Audit Evidence
  • Related Policies

---

Document Control¶

Field	Details
Policy Title	Acceptable Use Policy
Policy Owner	[IT Security / CISO Name]
Approved By	[Executive Sponsor Name]
Effective Date	[YYYY-MM-DD]
Review Cycle	Annual (or upon significant change)
Classification	Internal

Version History¶

Version	Date	Author	Description of Changes
1.0	YYYY-MM-DD	[Author Name]	Initial policy creation
1.1	YYYY-MM-DD	[Author Name]	[Brief description of changes]
1.2	YYYY-MM-DD	[Author Name]	[Brief description of changes]

---

1. Purpose¶

This Acceptable Use Policy (AUP) defines the acceptable and prohibited uses of [Company Name]'s information systems, networks, data, and technology resources. The purpose of this policy is to protect [Company Name], its employees, partners, and clients from harm caused by the misuse of company assets and data.

This policy supports [Company Name]'s commitment to SOC 2 Trust Services Criteria, specifically Common Criteria CC6.1 through CC6.8 (Logical and Physical Access Controls).

---

2. Scope¶

This policy applies to:

• All employees, contractors, consultants, temporary staff, and third-party agents ("users") who access [Company Name] systems or data.
• All company-owned and personal devices used to access company resources.
• All company networks, cloud environments, SaaS platforms, email systems, and communication tools.

---

3. General Acceptable Use¶

3.1 Acceptable Use¶

Company information systems are provided primarily for business purposes. Users are expected to:

• Use company systems responsibly, ethically, and in compliance with all applicable laws and regulations.
• Protect their authentication credentials and never share passwords or access tokens.
• Lock or log out of workstations when unattended.
• Report any suspected security incidents, policy violations, or vulnerabilities immediately to [IT Security Team / Helpdesk email].
• Complete all required security awareness training within designated timeframes.

3.2 Prohibited Use¶

Users must not:

• Use company systems for illegal activities, harassment, discrimination, or any purpose that violates company policy.
• Attempt to bypass, disable, or interfere with security controls, firewalls, or access restrictions.
• Install unauthorized software, browser extensions, or hardware on company-owned devices without prior IT approval.
• Access, download, or distribute obscene, offensive, or inappropriate material using company resources.
• Use company systems for personal commercial gain or to operate a personal business.
• Share, forward, or store company data in unauthorized locations or with unauthorized individuals.

---

4. Authentication and Access Control¶

• Users must use unique credentials and must not share accounts or passwords under any circumstances.
• Multi-factor authentication (MFA) is required for all systems that support it, including VPN, email, cloud platforms, and administrative consoles.
• Passwords must comply with [Company Name]'s Password Policy (minimum length, complexity, rotation requirements).
• Access to systems and data is granted on a least-privilege basis. Users should only request access necessary to perform their job functions.
• Users must notify IT immediately if they suspect their credentials have been compromised.

---

5. Data Handling and Classification¶

5.1 Data Classification Levels¶

All company data must be handled according to its classification level:

Classification	Description	Examples
Confidential	Highly sensitive data; unauthorized disclosure causes significant harm	PII, financial records, credentials, PHI
Internal	Internal business data; not intended for public release	Internal memos, project plans, org charts
Public	Information approved for public distribution	Marketing materials, published blog content

5.2 Handling Requirements¶

Requirement	Confidential	Internal	Public
Storage	Encrypted, access-controlled systems	Approved company systems only	No restrictions
Transmission	Encrypted in transit (TLS/VPN)	Encrypted in transit preferred	No restrictions
Sharing	Need-to-know, approved channels only	Internal recipients only	No restrictions
Disposal	Secure deletion / shredding	Secure deletion	Standard disposal
Labeling	Required	Recommended	Optional

5.3 Data Handling Rules¶

• Users must not store Confidential or Internal data on personal devices, personal cloud accounts (e.g., personal Google Drive, Dropbox), or removable media unless explicitly authorized and encrypted.
• Data must not be transmitted via unencrypted channels (e.g., unencrypted email, SMS, public file-sharing services).
• Users must follow data retention and disposal schedules as defined in the Data Retention Policy.
• Any accidental exposure or loss of Confidential data must be reported immediately to [IT Security / Privacy Officer].

---

6. Remote Work and BYOD¶

6.1 Remote Access Requirements¶

• Remote access to company systems must occur through the company-approved VPN or zero-trust access solution.
• Users must ensure their home network is secured with WPA2/WPA3 encryption and a strong, unique router password.
• Work performed in public locations (e.g., cafes, airports) must use a VPN at all times; users should use privacy screens and avoid accessing Confidential data on public Wi-Fi without VPN protection.
• Remote sessions must be terminated when not actively in use.

6.2 Bring Your Own Device (BYOD)¶

Personal devices used to access company resources must meet the following minimum requirements:

• Operating system is up to date with the latest security patches.
• Device-level encryption is enabled (e.g., FileVault, BitLocker, or equivalent).
• A screen lock with a strong passcode or biometric authentication is enabled.
• Antivirus/endpoint protection software is installed and current (if applicable to the platform).
• The device must not be jailbroken or rooted.
• Company reserves the right to remotely wipe company data from personal devices upon termination or suspected compromise.

6.3 Physical Security¶

• Company-issued devices must be physically secured at all times (locked in a bag, drawer, or safe when unattended).
• Loss or theft of any device containing company data must be reported to IT within 24 hours.

---

7. Cloud Services and SaaS Usage¶

7.1 Approved Services¶

• Users may only use cloud services and SaaS platforms that have been vetted and approved by IT / Information Security.
• A current list of approved services is maintained at [link to approved software register or wiki page].
• Users must not sign up for or use unapproved cloud services to store, process, or transmit company data (commonly referred to as "Shadow IT").

7.2 SaaS Account Management¶

• All SaaS accounts must be provisioned through IT or an approved self-service process.
• Company SSO (Single Sign-On) must be used wherever supported.
• Users must enable MFA on any SaaS account that does not support SSO.
• Users must not use personal email addresses to create accounts for company business purposes.

7.3 Cloud Data Storage¶

• Company data stored in cloud platforms must reside in approved regions and comply with data residency requirements.
• Sharing permissions in cloud storage (e.g., Google Drive, SharePoint, Confluence) must follow least-privilege principles. Default sharing should be restricted to specific named individuals, not "anyone with the link."
• Users must periodically review and revoke unnecessary sharing permissions on files and folders they own.

7.4 Third-Party Integrations and API Access¶

• Connecting third-party applications or integrations to company SaaS platforms (e.g., OAuth app connections, Slack bots, browser extensions) requires prior IT Security approval.
• Users must not grant broad or unnecessary permissions to third-party integrations.

---

8. Email and Communications¶

• Company email and messaging systems (e.g., Slack, Teams) are for business use. Limited personal use is permitted provided it does not interfere with job duties or violate this policy.
• Users must not open suspicious attachments or click unverified links. Suspected phishing emails must be reported to [phishing report alias or IT Security].
• Auto-forwarding company email to external personal accounts is prohibited.
• Confidential information must not be sent via email unless encrypted or shared via an approved secure method.

---

9. Monitoring and Privacy¶

[Company Name] reserves the right to monitor, log, audit, and review all activity on company-owned systems, networks, and accounts. This includes but is not limited to:

• Email and messaging content
• Web browsing activity
• File access and transfers
• VPN and remote access logs
• Cloud and SaaS activity logs

Users should have no expectation of privacy when using company resources. Monitoring is conducted in accordance with applicable laws and regulations.

---

10. Incident Reporting¶

Users are required to immediately report any of the following to [IT Security Team / Contact]:

• Suspected or confirmed security breaches or data leaks
• Lost or stolen devices containing company data
• Suspected phishing, social engineering, or unauthorized access
• Violations of this policy by any user

Reports can be submitted via [email, ticketing system, or hotline]. Good-faith reporting will not result in retaliation.

---

11. Enforcement and Consequences¶

Violation of this policy may result in disciplinary action, up to and including:

• Revocation of system access
• Formal written warning
• Suspension or termination of employment or contract
• Legal action where warranted

The severity of the response will be proportional to the nature and impact of the violation. All violations will be documented and reviewed by [HR and IT Security / Compliance Officer].

---

12. Policy Review¶

This policy is reviewed at least annually or whenever a significant change occurs in the business environment, technology infrastructure, or regulatory requirements. All material changes will be communicated to users and require re-acknowledgment.

---

13. Acknowledgment¶

All employees, contractors, and third-party users with access to [Company Name] systems are required to acknowledge this policy by completing an assigned Redmine issue in the HR Compliance project.

13.1 Acknowledgment Process¶

1. Upon onboarding (or when this policy is updated), each user will be assigned a Redmine issue titled "AUP Acknowledgment – [Employee Name] – [Policy Version]" in the HR Compliance project.
2. The user must read this Acceptable Use Policy in its entirety.
3. To acknowledge the policy, the user must update the issue with a comment stating: "I have read, understood, and agree to comply with the Acceptable Use Policy [Version X.X]."
4. The user must then change the issue status to Closed (or Resolved, per your workflow).
5. The assigned manager will verify and close the issue if a secondary approval step is required.

13.2 Acknowledgment Tracking¶

• The HR Compliance project maintainer is responsible for creating acknowledgment issues for all in-scope users.
• A saved query or custom report in the HR Compliance project should be maintained to track outstanding acknowledgments.
• Acknowledgment issues must be completed within [14 calendar days] of assignment.
• Failure to complete the acknowledgment within the required timeframe may result in temporary suspension of system access.

13.3 Re-Acknowledgment¶

Re-acknowledgment is required under the following circumstances:

• Annual policy review cycle (even if the policy has not changed).
• Any material update to this policy (a new issue will be assigned referencing the updated version).
• Upon role change that grants access to higher-classification data or systems.

13.4 Audit Evidence¶

The Redmine issue history — including the user's comment, status change, and timestamp — serves as the formal record of acknowledgment for audit purposes. These records must be retained for a minimum of [3 years] or as required by applicable regulations.

---

Related Policies¶

• Information Security Policy
• Password Policy
• Data Classification and Handling Policy
• Data Retention and Disposal Policy
• Incident Response Plan
• Remote Work Policy
• Vendor / Third-Party Risk Management Policy

---

This document is the property of [Company Name] and is classified as Internal. Unauthorized distribution is prohibited.