Acceptable Use Policy » History » Revision 2
Revision 1 (David Leedom, 03/25/2026 06:43 PM) → Revision 2/3 (David Leedom, 03/25/2026 06:53 PM)
# Acceptable Use Policy
{{toc}}
---
## Document Control
| Field | Details |
|--------------------|--------------------------------------|
| **Policy Title** | Acceptable Use Policy |
| **Policy Owner** | [IT Security / CISO Name] |
| **Approved By** | [Executive Sponsor Name] |
| **Effective Date** | [YYYY-MM-DD] |
| **Review Cycle** | Annual (or upon significant change) |
| **Classification** | Internal |
### Version History
| Version | Date | Author | Description of Changes |
|---------|------------|-----------------|----------------------------------|
| 1.0 | YYYY-MM-DD | [Author Name] | Initial policy creation |
| 1.1 | YYYY-MM-DD | [Author Name] | [Brief description of changes] |
| 1.2 | YYYY-MM-DD | [Author Name] | [Brief description of changes] |
---
## 1. Purpose
This Acceptable Use Policy (AUP) defines the acceptable and prohibited uses of [Company Name]'s Catalyst Aviation's information systems, networks, data, and technology resources. The purpose of this policy is to protect [Company Name], Catalyst Aviation, its employees, partners, and clients from harm caused by the misuse of company assets and data.
This policy supports [Company Name]'s Catalyst Aviation's commitment to SOC 2 Trust Services Criteria, specifically Common Criteria CC6.1 through CC6.8 (Logical and Physical Access Controls).
---
## 2. Scope
This policy applies to:
- All employees, contractors, consultants, temporary staff, and third-party agents ("users") who access [Company Name] Catalyst Aviation systems or data.
- All company-owned and personal devices used to access company resources.
- All company networks, cloud environments, SaaS platforms, email systems, and communication tools.
---
## 3. General Acceptable Use
### 3.1 Acceptable Use
Company information systems are provided primarily for business purposes. Users are expected to:
- Use company systems responsibly, ethically, and in compliance with all applicable laws and regulations.
- Protect their authentication credentials and never share passwords or access tokens.
- Lock or log out of workstations when unattended.
- Report any suspected security incidents, policy violations, or vulnerabilities immediately to [IT Security Team / Helpdesk email].
- Complete all required security awareness training within designated timeframes.
### 3.2 Prohibited Use
Users must not:
- Use company systems for illegal activities, harassment, discrimination, or any purpose that violates company policy.
- Attempt to bypass, disable, or interfere with security controls, firewalls, or access restrictions.
- Install unauthorized software, browser extensions, or hardware on company-owned devices without prior IT approval.
- Access, download, or distribute obscene, offensive, or inappropriate material using company resources.
- Use company systems for personal commercial gain or to operate a personal business.
- Share, forward, or store company data in unauthorized locations or with unauthorized individuals.
---
## 4. Authentication and Access Control
- Users must use unique credentials and must not share accounts or passwords under any circumstances.
- Multi-factor authentication (MFA) is required for all systems that support it, including VPN, email, cloud platforms, and administrative consoles.
- Passwords must comply with [Company Name]'s Catalyst Aviation's Password Policy (minimum length, complexity, rotation requirements).
- Access to systems and data is granted on a least-privilege basis. Users should only request access necessary to perform their job functions.
- Users must notify IT immediately if they suspect their credentials have been compromised.
---
## 5. Data Handling and Classification
### 5.1 Data Classification Levels
All company data must be handled according to its classification level:
| Classification | Description | Examples |
|------------------|-----------------------------------------------------------------------------|-----------------------------------------------|
| **Confidential** | Highly sensitive data; unauthorized disclosure causes significant harm | PII, financial records, credentials, PHI |
| **Internal** | Internal business data; not intended for public release | Internal memos, project plans, org charts |
| **Public** | Information approved for public distribution | Marketing materials, published blog content |
### 5.2 Handling Requirements
| Requirement | Confidential | Internal | Public |
|----------------------|---------------------------------------|-------------------------------------|--------------------|
| **Storage** | Encrypted, access-controlled systems | Approved company systems only | No restrictions |
| **Transmission** | Encrypted in transit (TLS/VPN) | Encrypted in transit preferred | No restrictions |
| **Sharing** | Need-to-know, approved channels only | Internal recipients only | No restrictions |
| **Disposal** | Secure deletion / shredding | Secure deletion | Standard disposal |
| **Labeling** | Required | Recommended | Optional |
### 5.3 Data Handling Rules
- Users must not store Confidential or Internal data on personal devices, personal cloud accounts (e.g., personal Google Drive, Dropbox), or removable media unless explicitly authorized and encrypted.
- Data must not be transmitted via unencrypted channels (e.g., unencrypted email, SMS, public file-sharing services).
- Users must follow data retention and disposal schedules as defined in the Data Retention Policy.
- Any accidental exposure or loss of Confidential data must be reported immediately to [IT Security / Privacy Officer].
---
## 6. Remote Work and BYOD
### 6.1 Remote Access Requirements
- Remote access to company systems must occur through the company-approved VPN or zero-trust access solution.
- Users must ensure their home network is secured with WPA2/WPA3 encryption and a strong, unique router password.
- Work performed in public locations (e.g., cafes, airports) must use a VPN at all times; users should use privacy screens and avoid accessing Confidential data on public Wi-Fi without VPN protection.
- Remote sessions must be terminated when not actively in use.
### 6.2 Bring Your Own Device (BYOD)
Personal devices used to access company resources must meet the following minimum requirements:
- Operating system is up to date with the latest security patches.
- Device-level encryption is enabled (e.g., FileVault, BitLocker, or equivalent).
- A screen lock with a strong passcode or biometric authentication is enabled.
- Antivirus/endpoint protection software is installed and current (if applicable to the platform).
- The device must not be jailbroken or rooted.
- Company reserves the right to remotely wipe company data from personal devices upon termination or suspected compromise.
### 6.3 Physical Security
- Company-issued devices must be physically secured at all times (locked in a bag, drawer, or safe when unattended).
- Loss or theft of any device containing company data must be reported to IT within 24 hours.
---
## 7. Cloud Services and SaaS Usage
### 7.1 Approved Services
- Users may only use cloud services and SaaS platforms that have been vetted and approved by IT / Information Security.
- A current list of approved services is maintained at [link to approved software register or wiki page].
- Users must not sign up for or use unapproved cloud services to store, process, or transmit company data (commonly referred to as "Shadow IT").
### 7.2 SaaS Account Management
- All SaaS accounts must be provisioned through IT or an approved self-service process.
- Company SSO (Single Sign-On) must be used wherever supported.
- Users must enable MFA on any SaaS account that does not support SSO.
- Users must not use personal email addresses to create accounts for company business purposes.
### 7.3 Cloud Data Storage
- Company data stored in cloud platforms must reside in approved regions and comply with data residency requirements.
- Sharing permissions in cloud storage (e.g., Google Drive, SharePoint, Confluence) must follow least-privilege principles. Default sharing should be restricted to specific named individuals, not "anyone with the link."
- Users must periodically review and revoke unnecessary sharing permissions on files and folders they own.
### 7.4 Third-Party Integrations and API Access
- Connecting third-party applications or integrations to company SaaS platforms (e.g., OAuth app connections, Slack bots, browser extensions) requires prior IT Security approval.
- Users must not grant broad or unnecessary permissions to third-party integrations.
---
## 8. Email and Communications
- Company email and messaging systems (e.g., Slack, Teams) are for business use. Limited personal use is permitted provided it does not interfere with job duties or violate this policy.
- Users must not open suspicious attachments or click unverified links. Suspected phishing emails must be reported to [phishing report alias or IT Security].
- Auto-forwarding company email to external personal accounts is prohibited.
- Confidential information must not be sent via email unless encrypted or shared via an approved secure method.
---
## 9. Monitoring and Privacy
[Company Name] Catalyst Aviation reserves the right to monitor, log, audit, and review all activity on company-owned systems, networks, and accounts. This includes but is not limited to:
- Email and messaging content
- Web browsing activity
- File access and transfers
- VPN and remote access logs
- Cloud and SaaS activity logs
Users should have no expectation of privacy when using company resources. Monitoring is conducted in accordance with applicable laws and regulations.
---
## 10. Incident Reporting
Users are required to immediately report any of the following to [IT Security Team / Contact]:
- Suspected or confirmed security breaches or data leaks
- Lost or stolen devices containing company data
- Suspected phishing, social engineering, or unauthorized access
- Violations of this policy by any user
Reports can be submitted via [email, ticketing system, or hotline]. Good-faith reporting will not result in retaliation.
---
## 11. Enforcement and Consequences
Violation of this policy may result in disciplinary action, up to and including:
- Revocation of system access
- Formal written warning
- Suspension or termination of employment or contract
- Legal action where warranted
The severity of the response will be proportional to the nature and impact of the violation. All violations will be documented and reviewed by [HR and IT Security / Compliance Officer].
---
## 12. Policy Review
This policy is reviewed at least annually or whenever a significant change occurs in the business environment, technology infrastructure, or regulatory requirements. All material changes will be communicated to users and require re-acknowledgment.
---
## 13. Acknowledgment
All employees, contractors, By accessing Catalyst Aviation systems and third-party users with access to [Company Name] systems are required to resources, I acknowledge this policy by completing an assigned Redmine issue in the **HR Compliance** project.
### 13.1 Acknowledgment Process
1. Upon onboarding (or when this policy is updated), each user will be assigned a Redmine issue titled **"AUP Acknowledgment – [Employee Name] – [Policy Version]"** in the HR Compliance project.
2. The user must read this Acceptable Use Policy in its entirety.
3. To acknowledge the policy, the user must update the issue with a comment stating: *"I that I have read, understood, and agree to comply with the this Acceptable Use Policy [Version X.X]."* Policy.
| Field | Details |
4. The user must then change the issue status to **Closed** (or **Resolved**, per your workflow). |----------------------|---------------------|
5. The assigned manager will verify and close the issue if a secondary approval step is required.
### 13.2 Acknowledgment Tracking
- The HR Compliance project maintainer is responsible for creating acknowledgment issues for all in-scope users. | **Employee Name** | __________________ |
- A saved query or custom report in the HR Compliance project should be maintained to track outstanding acknowledgments. | **Signature** | __________________ |
- Acknowledgment issues must be completed within **[14 calendar days]** of assignment. | **Date** | __________________ |
- Failure to complete the acknowledgment within the required timeframe may result in temporary suspension of system access.
### 13.3 Re-Acknowledgment
Re-acknowledgment is required under the following circumstances:
- Annual policy review cycle (even if the policy has not changed). | **Manager Name** | __________________ |
- Any material update to this policy (a new issue will be assigned referencing the updated version).
- Upon role change that grants access to higher-classification data or systems. | **Manager Signature**| __________________ |
### 13.4 Audit Evidence
The Redmine issue history — including the user's comment, status change, and timestamp — serves as the formal record of acknowledgment for audit purposes. These records must be retained for a minimum of **[3 years]** or as required by applicable regulations.
---
## Related Policies
- Information Security Policy
- Password Policy
- Data Classification and Handling Policy
- Data Retention and Disposal Policy
- Incident Response Plan
- Remote Work Policy
- Vendor / Third-Party Risk Management Policy
---
*This document is the property of [Company Name] Catalyst Aviation and is classified as Internal. Unauthorized distribution is prohibited.*