HR Compliance

# Acceptable Use Policy

{{toc}}

---

## Document Control

| Field              | Details                              |

|--------------------|--------------------------------------|

| **Policy Title**   | Acceptable Use Policy                |

| **Policy Owner**   | [IT Security / CISO Name]            |

| **Approved By**    | [Executive Sponsor Name]             |

| **Effective Date** | [YYYY-MM-DD]                         |

| **Review Cycle**   | Annual (or upon significant change)  |

| **Classification** | Internal                             |

### Version History

| Version | Date       | Author          | Description of Changes           |

|---------|------------|-----------------|----------------------------------|

| 1.0     | YYYY-MM-DD | [Author Name]   | Initial policy creation          |

| 1.1     | YYYY-MM-DD | [Author Name]   | [Brief description of changes]   |

| 1.2     | YYYY-MM-DD | [Author Name]   | [Brief description of changes]   |

---

## 1. Purpose

This Acceptable Use Policy (AUP) defines the acceptable and prohibited uses of [Company Name]'s information systems, networks, data, and technology resources. The purpose of this policy is to protect [Company Name], its employees, partners, and clients from harm caused by the misuse of company assets and data.

This policy supports [Company Name]'s commitment to SOC 2 Trust Services Criteria, specifically Common Criteria CC6.1 through CC6.8 (Logical and Physical Access Controls).

---

## 2. Scope

This policy applies to:

- All employees, contractors, consultants, temporary staff, and third-party agents ("users") who access [Company Name] systems or data.

- All company-owned and personal devices used to access company resources.

- All company networks, cloud environments, SaaS platforms, email systems, and communication tools.

---

## 3. General Acceptable Use

### 3.1 Acceptable Use

Company information systems are provided primarily for business purposes. Users are expected to:

- Use company systems responsibly, ethically, and in compliance with all applicable laws and regulations.

- Protect their authentication credentials and never share passwords or access tokens.

- Lock or log out of workstations when unattended.

- Report any suspected security incidents, policy violations, or vulnerabilities immediately to [IT Security Team / Helpdesk email].

- Complete all required security awareness training within designated timeframes.

### 3.2 Prohibited Use

Users must not:

- Use company systems for illegal activities, harassment, discrimination, or any purpose that violates company policy.

- Attempt to bypass, disable, or interfere with security controls, firewalls, or access restrictions.

- Install unauthorized software, browser extensions, or hardware on company-owned devices without prior IT approval.

- Access, download, or distribute obscene, offensive, or inappropriate material using company resources.

- Use company systems for personal commercial gain or to operate a personal business.

- Share, forward, or store company data in unauthorized locations or with unauthorized individuals.

---

## 4. Authentication and Access Control

- Users must use unique credentials and must not share accounts or passwords under any circumstances.

- Multi-factor authentication (MFA) is required for all systems that support it, including VPN, email, cloud platforms, and administrative consoles.

- Passwords must comply with [Company Name]'s Password Policy (minimum length, complexity, rotation requirements).

- Access to systems and data is granted on a least-privilege basis. Users should only request access necessary to perform their job functions.

- Users must notify IT immediately if they suspect their credentials have been compromised.

---

## 5. Data Handling and Classification

### 5.1 Data Classification Levels

All company data must be handled according to its classification level:

| Classification   | Description                                                                 | Examples                                      |

|------------------|-----------------------------------------------------------------------------|-----------------------------------------------|

| **Confidential** | Highly sensitive data; unauthorized disclosure causes significant harm      | PII, financial records, credentials, PHI      |

| **Internal**     | Internal business data; not intended for public release                     | Internal memos, project plans, org charts     |

| **Public**       | Information approved for public distribution                                | Marketing materials, published blog content   |

### 5.2 Handling Requirements

| Requirement          | Confidential                          | Internal                            | Public             |

|----------------------|---------------------------------------|-------------------------------------|--------------------|

| **Storage**          | Encrypted, access-controlled systems  | Approved company systems only       | No restrictions    |

| **Transmission**     | Encrypted in transit (TLS/VPN)        | Encrypted in transit preferred      | No restrictions    |

| **Sharing**          | Need-to-know, approved channels only  | Internal recipients only            | No restrictions    |

| **Disposal**         | Secure deletion / shredding           | Secure deletion                     | Standard disposal  |

| **Labeling**         | Required                              | Recommended                         | Optional           |

### 5.3 Data Handling Rules

- Users must not store Confidential or Internal data on personal devices, personal cloud accounts (e.g., personal Google Drive, Dropbox), or removable media unless explicitly authorized and encrypted.

- Data must not be transmitted via unencrypted channels (e.g., unencrypted email, SMS, public file-sharing services).

- Users must follow data retention and disposal schedules as defined in the Data Retention Policy.

- Any accidental exposure or loss of Confidential data must be reported immediately to [IT Security / Privacy Officer].

---

## 6. Remote Work and BYOD

### 6.1 Remote Access Requirements

- Remote access to company systems must occur through the company-approved VPN or zero-trust access solution.

- Users must ensure their home network is secured with WPA2/WPA3 encryption and a strong, unique router password.

- Work performed in public locations (e.g., cafes, airports) must use a VPN at all times; users should use privacy screens and avoid accessing Confidential data on public Wi-Fi without VPN protection.

- Remote sessions must be terminated when not actively in use.

### 6.2 Bring Your Own Device (BYOD)

Personal devices used to access company resources must meet the following minimum requirements:

- Operating system is up to date with the latest security patches.

- Device-level encryption is enabled (e.g., FileVault, BitLocker, or equivalent).

- A screen lock with a strong passcode or biometric authentication is enabled.

- Antivirus/endpoint protection software is installed and current (if applicable to the platform).

- The device must not be jailbroken or rooted.

- Company reserves the right to remotely wipe company data from personal devices upon termination or suspected compromise.

### 6.3 Physical Security

- Company-issued devices must be physically secured at all times (locked in a bag, drawer, or safe when unattended).

- Loss or theft of any device containing company data must be reported to IT within 24 hours.

---

## 7. Cloud Services and SaaS Usage

### 7.1 Approved Services

- Users may only use cloud services and SaaS platforms that have been vetted and approved by IT / Information Security.

- A current list of approved services is maintained at [link to approved software register or wiki page].

- Users must not sign up for or use unapproved cloud services to store, process, or transmit company data (commonly referred to as "Shadow IT").

### 7.2 SaaS Account Management

- All SaaS accounts must be provisioned through IT or an approved self-service process.

- Company SSO (Single Sign-On) must be used wherever supported.

- Users must enable MFA on any SaaS account that does not support SSO.

- Users must not use personal email addresses to create accounts for company business purposes.

### 7.3 Cloud Data Storage

- Company data stored in cloud platforms must reside in approved regions and comply with data residency requirements.

- Sharing permissions in cloud storage (e.g., Google Drive, SharePoint, Confluence) must follow least-privilege principles. Default sharing should be restricted to specific named individuals, not "anyone with the link."

- Users must periodically review and revoke unnecessary sharing permissions on files and folders they own.

### 7.4 Third-Party Integrations and API Access

- Connecting third-party applications or integrations to company SaaS platforms (e.g., OAuth app connections, Slack bots, browser extensions) requires prior IT Security approval.

- Users must not grant broad or unnecessary permissions to third-party integrations.

---

## 8. Email and Communications

- Company email and messaging systems (e.g., Slack, Teams) are for business use. Limited personal use is permitted provided it does not interfere with job duties or violate this policy.

- Users must not open suspicious attachments or click unverified links. Suspected phishing emails must be reported to [phishing report alias or IT Security].

- Auto-forwarding company email to external personal accounts is prohibited.

- Confidential information must not be sent via email unless encrypted or shared via an approved secure method.

---

## 9. Monitoring and Privacy

[Company Name] reserves the right to monitor, log, audit, and review all activity on company-owned systems, networks, and accounts. This includes but is not limited to:

- Email and messaging content

- Web browsing activity

- File access and transfers

- VPN and remote access logs

- Cloud and SaaS activity logs

Users should have no expectation of privacy when using company resources. Monitoring is conducted in accordance with applicable laws and regulations.

---

## 10. Incident Reporting

Users are required to immediately report any of the following to [IT Security Team / Contact]:

- Suspected or confirmed security breaches or data leaks

- Lost or stolen devices containing company data

- Suspected phishing, social engineering, or unauthorized access

- Violations of this policy by any user

Reports can be submitted via [email, ticketing system, or hotline]. Good-faith reporting will not result in retaliation.

---

## 11. Enforcement and Consequences

Violation of this policy may result in disciplinary action, up to and including:

- Revocation of system access

- Formal written warning

- Suspension or termination of employment or contract

- Legal action where warranted

The severity of the response will be proportional to the nature and impact of the violation. All violations will be documented and reviewed by [HR and IT Security / Compliance Officer].

---

## 12. Policy Review

This policy is reviewed at least annually or whenever a significant change occurs in the business environment, technology infrastructure, or regulatory requirements. All material changes will be communicated to users and require re-acknowledgment.

---

## 13. Acknowledgment

All employees, contractors, and third-party users with access to [Company Name] systems are required to acknowledge this policy by completing an assigned Redmine issue in the **HR Compliance** project.

### 13.1 Acknowledgment Process

1. Upon onboarding (or when this policy is updated), each user will be assigned a Redmine issue titled **"AUP Acknowledgment – [Employee Name] – [Policy Version]"** in the HR Compliance project.

2. The user must read this Acceptable Use Policy in its entirety.

3. To acknowledge the policy, the user must update the issue with a comment stating: *"I have read, understood, and agree to comply with the Acceptable Use Policy [Version X.X]."*

4. The user must then change the issue status to **Closed** (or **Resolved**, per your workflow).

5. The assigned manager will verify and close the issue if a secondary approval step is required.

### 13.2 Acknowledgment Tracking

- The HR Compliance project maintainer is responsible for creating acknowledgment issues for all in-scope users.

- A saved query or custom report in the HR Compliance project should be maintained to track outstanding acknowledgments.

- Acknowledgment issues must be completed within **[14 calendar days]** of assignment.

- Failure to complete the acknowledgment within the required timeframe may result in temporary suspension of system access.

### 13.3 Re-Acknowledgment

Re-acknowledgment is required under the following circumstances:

- Annual policy review cycle (even if the policy has not changed).

- Any material update to this policy (a new issue will be assigned referencing the updated version).

- Upon role change that grants access to higher-classification data or systems.

### 13.4 Audit Evidence

The Redmine issue history — including the user's comment, status change, and timestamp — serves as the formal record of acknowledgment for audit purposes. These records must be retained for a minimum of **[3 years]** or as required by applicable regulations.

---

## Related Policies

- Information Security Policy

- Password Policy

- Data Classification and Handling Policy

- Data Retention and Disposal Policy

- Incident Response Plan

- Remote Work Policy

- Vendor / Third-Party Risk Management Policy

---

*This document is the property of [Company Name] and is classified as Internal. Unauthorized distribution is prohibited.*