Acceptable Usage Policy

1.0 Overview

The intention for the creation of this policy is to outline appropriate guidelines and procedures for
utilizing the computing resources owned by <YOUR COMPANY NAME>. This policy is intended to
prevent damage, both intentional and unintentional, which could result from unauthorized activity on
computing systems.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment and resources of
<YOUR COMPANY NAME>. These rules are intended to protect the employees of <YOUR
COMPANY NAME> and the organization itself. Inappropriate use exposes the organization, its
resources, and data to risks such as cyber attack, compromise of systems and services, as well as legal and
public relations issues.

3.0 Scope

This policy applies to all employees, contractors, consultants, and other permanent, semi-permanent,
temporary, or one-time users of <YOUR COMPANY NAME>’s systems. This policy also covers all
computing resources owned, leased, and utilized by <YOUR COMPANY NAME>.

4.0 Ownership

Computer hardware, peripherals, storage media, software, networks, and other related systems which are
owned or leased by <YOUR COMPANY NAME> remain the property of <YOUR COMPANY NAME>.
Additionally, any data which may reside on or be transmitted by any such systems remain the property of
<YOUR COMPANY NAME>. These systems, data, and equipment are intended to be used for business
purposes which serve the interest of the company, its clients, and customers in the course of normal
operations. No such resources may be taken from <YOUR COMPANY NAME> property without written
permission from the ISO or his designate.

5.0 Confidentiality

As the sole owner of the computing resources covered by this policy, <YOUR COMPANY NAME>
reserves the right to monitor and access any and all data and computing resources it owns with or without
the consent of users of the system. Users should be aware that they have no expectation of privacy while
operating on <YOUR COMPANY NAME>’s computers or networks.

Where possible <YOUR COMPANY NAME> will work to ensure as much privacy and confidentiality as
possible and reasonable for users of its systems. While employees are permitted a small amount of
personal use on <YOUR COMPANY NAME> computing resources (see Section 6.0), if there is any data
that employees do not want to be potentially stored on <YOUR COMPANY NAME> systems or viewed
by other <YOUR COMPANY NAME> personnel, they should not allow that data to be stored on or
transmitted by <YOUR COMPANY NAME> computing systems.

6.0 Appropriate Use

All computing systems that fall under the purview of this policy may not be used for any inappropriate
use. Judgment as to what entails inappropriate use is reserved exclusively to <YOUR COMPANY
NAME>. As a guideline, usage which pertains directly to work being done on behalf of <YOUR
COMPANY NAME> or for its clients or customers is acceptable use.

Reasonable personal use of <YOUR COMPANY NAME>’s computing systems is also permitted. Users
are expected to exercise good judgment when determining what consists of reasonable personal use.
Limited email, viewing news articles, checking weather conditions, and limited internet searching are
examples of reasonable personal use. Reasonable personal use should represent only a small fraction of a
user’s use of <YOUR COMPANY NAME>’s computing systems.

Inappropriate use of systems includes, but is not limited to excessive personal use of computing
resources, activities which directly opposes the best interest of <YOUR COMPANY NAME>, financial
activities by which a user of the system personally profits financially, pornography, games, any illegal
activities, violating network and security policies, password sharing, or posing as a spokesperson of
<YOUR COMPANY NAME> or communicating with media individuals or organizations without
authorization.

7.0 Reporting Misuse

Any employee who notices any behavior by other employees which they could reasonably consider to be
misuse or abuse of computing resources is required to report that information to the ISO’s office. The
ISO’s office is required to keep the source of such reports confidential from anyone without a direct need
to know.

The ISO should consider creating an automated, online reporting mechanism to report violations of this
policy. However, the ISO must have the ability to take reports in person.

The ISO or his designate may act on any such report at his discretion. Official disciplinary action may be
taken, however unofficial action may be taken as well. This could involve action such as notifying the
employee’s direct supervisor to discuss acceptable and unacceptable usage of computing resources with
the employee.

8.0 Enforcement

Violation of this policy may result in disciplinary action against the violator, which may include, but is
not limited to, the suspension of computer privileges, mandatory training attendance, mandatory unpaid
suspension, ineligibility for raises or promotions, and termination from employment with <YOUR
COMPANY NAME>.

Any disciplinary actions to be taken will be determined by the discretion of the ISO or his designate, who
should request input from the employee’s direct supervisor when determining what level of disciplinary
action is appropriate. Consideration should also be given to the employee in question’s past history of
computer use.

9.0 Rights and Responsibilities of Parties

It is the responsibility of every user of <YOUR COMPANY NAME>’s computing resources to review
and understand these policies. Employees and other users must sign the Acceptable Usage Agreement
Form stating that they understand these policies before access to <YOUR COMPANY NAME>’s
computing resources will be granted.

Additionally, <YOUR COMPANY NAME> reserves the right to change or amend this policy at any
time, without warning or notice. Employees and users of <YOUR COMPANY NAME>’s computing
resources should review this policy frequently to educate themselves about any updates to this policy.

Employees may at any time request access to the most current version of the Acceptable Usage Policy
from the ISO’s office. This request must be granted within one business day. Additionally, the most
current version of the Acceptable Usage Policy should be posted electronically in an easy to find and
access location for <YOUR COMPANY NAME> employees.

10.0 Expiration

The office of the ISO of <YOUR COMPANY NAME> is responsible for reviewing, editing, or amending
this policy as needed. The ISO must review and reapprove of this policy at least once annually to ensure
the policy conforms to current realities of <YOUR COMPANY NAME>’s needs. Any major changes to
this policy should be publicized to <YOUR COMPANY NAME>’s employees in a timely fashion to
ensure compliance with policy changes.

11.0 References

This document was adapted from the InfoSec Acceptable Use Policy from SANS as of March 1 st, 2010,
which can be accessed at http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf as
of the time of the writing of this document.