The following article contains guidance explaining portions of the Acceptable Use Policy that we frequently see questions around, explaining what the sections mean.
Guidance statements will appear in bold and enclosed in brackets “[ ]” below the statements of the policy.
Acceptable Use Policy
[COMPANY NAME]
____________________________________________________________________________
Purpose
This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
Scope
[The Scope section is OPTIONAL for SOC 2, but may be REQUIRED for other frameworks such as CCM.]
Applies to all [COMPANY NAME] personnel who utilize company IT assets.
Company assets are those assets that are owned or managed by [COMPANY NAME], which include <LIST ASSETS OR ASSET TYPES>.
[Company assets can include end-user devices (e.g., laptops, desktops, smartphones), network and security infrastructure (e.g., servers, VPNs, security software), cloud services (e.g., communication, collaboration, file storage), intellectual property, internal resources, authentication systems (e.g., email, MFA), and backup/disaster recovery systems.]
Policy
[COMPANY NAME] policy requires that:
Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures [COMPANY NAME] has in place. Employees will also have ongoing security awareness training that is audited.
Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any [COMPANY NAME] systems has been removed, as well as ensuring that all company owned assets are returned.
[COMPANY NAME] and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.
[COMPANY NAME] will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. [COMPANY NAME] reserves the right to terminate employees in the case of serious cases of misconduct.
Clean Desk/Work Area
Authorized users will ensure that all sensitive/confidential materials, hardcopy or electronic, are removed from their workspace and locked away when the items are not in use or an employee leaves his/her workstation. This will also increase awareness about protecting sensitive information. As such:
Employees are required to ensure that all sensitive/confidential information, hardcopy or electronic, is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
Computer workstations must be locked when the workspace is not in use, and must be shut down completely at the end of the day.
Sensitive information must be removed from the desk and securely stored when the desk is unattended, and at the end of the day.
Laptops and other portable computing devices must be properly stored/secured.
File cabinets containing restricted or sensitive information must be kept closed and locked when not in use or when not attended.
Keys used for access to restricted or sensitive information must not be left at an unattended desk.
Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
Printouts containing restricted or sensitive information should be immediately removed from the printer.
Upon disposal restricted and/or sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
Whiteboards containing restricted and/or sensitive information should be erased.
Treat mass storage devices such as external hard drives or USB drives as sensitive and always secure and encrypt them.
All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
[To implement this, organizations should establish basic security practices to protect sensitive information. This includes locking computers when unattended, securely storing documents and devices, and keeping workspaces clear of confidential materials when not in use. Guidelines should be in place for safely disposing of documents, avoiding written passwords, and properly handling items like USB drives.]
Employee Workstation Use
All workstations at [COMPANY NAME] are company owned, and all are laptop products running Windows, Mac OSX or Linux.
Workstations may not be used to engage in any activity that is illegal or is in violation of company policies.
Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or "X-rated". Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual's race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition will be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through the organization's system.
Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to the company's best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
Solicitation of non-company business, or any use of the company's information systems/applications for personal gain is prohibited.
Users may not misrepresent, obscure, suppress, or replace another user's identity in transmitted or stored messages.
Workstation hard drives must be encrypted
All workstations have firewalls enabled to prevent unauthorized access unless explicitly granted.
[This section describes how organizations ensure all company-owned workstations are encrypted, have firewalls enabled, and are used only for approved, work-related activities. Policies should prohibit illegal, unethical, or inappropriate use, including harassment, personal gain, or identity misrepresentation, to maintain a secure and respectful environment.]
Internet/Intranet Access and Use
Use of [COMPANY NAME] computers, networks, and Internet access is a privilege granted by management and may be revoked at any time for inappropriate conduct carried out on such systems, including, but not limited to:
Sending chain letters or participating in any way in the creation or transmission of unsolicited "spam" that is unrelated to legitimate Company purposes;
Engaging in private or personal business activities, including excessive use of instant messaging and chat rooms;
Accessing networks, servers, drives, folders, or files to which the employee has not been granted access or authorization from someone with the right to make such a grant;
Making unauthorized copies of Company files or other Company data;
Destroying, deleting, erasing, or concealing Company files or other Company data, or otherwise making such files or data unavailable or inaccessible to the Company or to other authorized users of Company systems;
Misrepresenting oneself or the Company;
Violating the laws and regulations of federal, state, city, province, or local jurisdictions in any way;
Engaging in unlawful or malicious activities;
Deliberately propagating any virus, worm, Trojan horse, trap-door program code, or other code or file designed to disrupt, disable, impair, or otherwise harm either the Company's networks or systems or those of any other individual or entity;
Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in either public or private messages;
Sending, receiving, or accessing pornographic materials;
Causing congestion, disruption, disablement, alteration, or impairment of Company networks or systems;
Using recreational games; and/or
Defeating or attempting to defeat security restrictions on company systems and applications.
Such access will be discontinued upon termination of employment, completion of contract, end of service of non-employee, or disciplinary action arising from violation of this policy. In the case of a change in job function and/or transfer, the original access code will be discontinued, and only reissued if necessary and a new request for access is approved.
All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted to users must be reevaluated by management annually. In response to feedback from management, systems administrators must promptly revoke all privileges no longer needed by users.
[This section outlines how organizations should enforce clear acceptable use policies for company systems, prohibiting personal use, unauthorized access, data misuse, malware activity, and inappropriate content or behavior.]
Teleworking
Requirements
Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. Refer to the Encryption Policy and the Password Policy for further information.
Authorized Users must protect their login and password, without exception.
While using a [COMPANY NAME]-owned computer to remotely connect to the company’'s network, authorized users must ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an authorized user or third party.
The most up-to-date antivirus software must be used on all computers. Third party connections must comply with requirements as stated in the Vendor Management Agreement.
Equipment used to connect to [COMPANY NAME]'s networks must meet the requirements for remote access and device use as stated in the Acceptable Use Policy, Asset Management Policy, and System Access Control Policy.
[Secure remote access should be enforced using encryption (such as VPNs) and strong passwords, with strict protection of login credentials. Remote devices should not connect to unauthorized networks, except for trusted personal networks. All devices should run up-to-date antivirus software and comply with remote access, acceptable use, and vendor management policies to ensure secure and authorized connections.]
Remote Access Tools
All remote access tools used to communicate between [COMPANY NAME] assets and other systems must comply with the following policy requirements:
Multi-factor authentication (such as authentication tokens and smart cards that require an additional PIN or password) is required for all remote access tools
The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.
Remote access tools must support the [COMPANY NAME] application layer proxy rather than direct connections through the perimeter firewall(s).
Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the Encryption Policy.
All antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.
Mobile Endpoint and Storage Devices
Protecting endpoint devices issued by [COMPANY NAME] or storing company data is the responsibility of every employee. This pertains to all devices that connect to the company network, regardless of ownership. Mobile endpoint and storage devices are defined to include: desktop systems (in telework environment), laptops, PDAs, mobile phones, plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or [COMPANY NAME] owned.
Mobile endpoint devices must meet the requirements for use as stated in the Asset Management Policy. Personnel are prohibited from disabling or modifying endpoint security controls.
[This section describes how all devices that connect to the company network whether company-issued or personal must be protected and meet security requirements outlined in the Asset Management Policy. Employees are responsible for safeguarding these devices and are not allowed to disable or alter any security controls. This includes laptops, phones, USB drives, and other mobile or storage devices used for work.]
For storage devices,
A risk analysis will be conducted prior to the use or connection to the company network, unless previously approved.
Detection of incidents must immediately be reported to the [RESPONSIBLE PARTY, e.g., information security team].
Stolen mobile devices must immediately be reported to the [RESPONSIBLE PARTY, e.g., information security team].
[A risk analysis should be performed before any storage device is used or connected to the company network. Any security incidents or stolen mobile devices must be reported immediately to the appropriate team, such as the information security team.]
Procedures
[COMPANY NAME] requires all workforce members to comply with the following acceptable use requirements and procedures, such that:
All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
[This statement may be modified if you have physical facilities.]
Use of [COMPANY NAME] computing systems is subject to monitoring by [COMPANY NAME] IT and/or Security teams.
[In order to comply with this, you will have to determine internally how you plan to monitor these activities. You may develop a formal monitoring plan, or you may simply reserve the right to check any relevant logs if an incident were to occur or need to be investigated.]
Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
All email messages containing sensitive or confidential data will be encrypted.
Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
All data storage devices and media must be managed according to the [COMPANY NAME] Data Classification specifications and Data Handling procedures.
Employees may only use photocopiers and other reproduction technology for authorized use.
Media containing sensitive/classified information should be removed from printers immediately.
The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.
[You can remove this statement if your organization does not use printers.]
[This section implements that remote users must follow system access controls, use encrypted devices, and ensure sensitive data is protected when stored, emailed, or printed. Devices shouldn't be left unattended in public, and only authorized use of media and reproduction tools is allowed. All activity may be monitored by IT or security teams.]
Protection Against Malware
[COMPANY NAME] protects against malware through malware detection and repair software, information security awareness and appropriate system access and change management controls. This includes:
Restrictions on Software Installation
Only legal, approved software with a valid license installed through a pre-approved application store will be used. Use of personal software for business purposes and vice versa is prohibited.
The principle of least privilege will be applied, where only users who have been granted certain privileges may install software.
[COMPANY NAME] will identify what types of software installations are permitted or prohibited.
[This group of statements can be accomplished through manual or automated means, however, it will require you to identify a list of software or categories of software which you plan to prohibit within your environment.]
Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.
Controls that prevent or detect the use of unauthorized software (e.g. application allowlisting) will be implemented.
Controls that prevent or detect the use of known or suspected malicious websites (e.g. blocklisting) will be implemented.
[Blacklisting and whitelisting of software can be done through tools (such as a Mobile Device Management tool or Endpoint Detection and Response tool, or can be implemented manually through manual checks of software installed on devices and log reviews to determine which websites were visited.]
Vulnerabilities that could be exploited by malware will be reduced, e.g. through technical vulnerability management.
[COMPANY NAME] will conduct regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated.
[This can be implemented through either manual or automated solutions. Automated solutions will often be alert driven, such as File Integrity Monitoring solutions which send alerts when unauthorized modifications occur.]
Malware detection and repair software will be installed and regularly updated to scan computers and media as a precautionary control, or on a routine basis; the scan carried out will include:
Any files received over networks or via any form of storage medium, for malware before use;
Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
Web pages for malware.
[COMPANY NAME] will determine the defense principles, effective placement, and configuration of malware detection and repair tools based on risk assessment outcomes; considerations will include:
Evasive techniques of attackers (e.g. the use of encrypted files) to deliver malware or the use of encryption protocols to transmit malware;
Protection against the introduction of malware during maintenance and emergency procedures, which can bypass normal controls against malware;
Implementing a process to authorize temporarily or permanently disable some or all measures against malware, including exception approval authorities, documented justification and review date.
Defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks.
Preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements.
Implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.
Implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them.
Isolating environments where catastrophic impacts may result.
Where possible, disable USB ports, prohibit writable media use, and restrict read-only media to legitimate commercial sources and allowlisted software.
[This section describes use approved, licensed software only, restrict installation rights, and ensure all devices have up-to-date anti-malware protection. Scan files, emails, and websites for threats, apply allowlisting/blocklisting, and manage vulnerabilities. Regularly review systems, train users, and have response and recovery plans in place. Limit or disable USB and external media use where possible.]
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|