1. Document Control

• Document Title: Acceptable Use Policy

• Document Identifier: POL-ALL-002

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Chief Information Security Officer>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this Acceptable Use Policy is to define the acceptable behaviors, responsibilities, and constraints regarding the use of 's information systems, networks, and technology resources. This policy is intended to protect the organization from security threats, legal liability, data breaches, and reputational damage by ensuring all users understand the standards governing the use of corporate IT assets.

This policy aligns with the SOC 2 Trust Services Criteria CC1.4 and CC1.5, which require that roles and responsibilities be assigned and enforced to ensure the integrity and availability of system resources. Additionally, it is consistent with ISO/IEC 27001 control A.5.10, requiring documented and enforced acceptable use procedures. By clearly articulating expectations and restrictions, the organization aims to safeguard its digital assets, ensure continuity of business operations, and foster a culture of information security.

3. Scope

This policy applies to all employees, contractors, interns, consultants, vendors, and other third parties who access or use 's systems, network, or data in any capacity. It governs the use of all IT resources, including:

• Company-issued laptops, desktops, and mobile devices

• Corporate network access, including VPN and remote connectivity

• Cloud-based collaboration and storage platforms

• Email systems and communication tools

• Internet and intranet resources

• Physical access to data centers and secure facilities

This policy applies across all geographic locations, business units, and time zones where operates or is represented.

4. Policy Statement

All users of 's systems and networks must:

• Use technology resources for authorized business purposes only.

• Comply with all security and privacy regulations, including confidentiality requirements.

• Refrain from engaging in any activity that may compromise the organization’s security, legality, or operational integrity.

Prohibited activities include, but are not limited to:

• Accessing, storing, or distributing offensive, discriminatory, or illegal content

• Using IT systems for personal gain or outside commercial activities

• Circumventing security controls, firewalls, or user access restrictions

• Installing unauthorized software or connecting personal devices to the corporate network

• Sharing credentials or allowing unauthorized individuals to use company systems

Permissible personal use is allowed only if it does not interfere with job responsibilities, violate any company policy, or expose systems to risk.

5. Safeguards

To enforce this policy, will implement the following safeguards:

• Access Control: Systems enforce role-based access and MFA (see POL-ALL-003).

• Endpoint Security: All devices must have antivirus software, encrypted storage, and screen-lock timers.

• Monitoring and Logging: Internet usage, login activity, and data transfers are logged and subject to monitoring.

• Content Filtering: Web and email filters block known malicious domains, adult content, and file-sharing platforms.

• Patch Management: Devices must auto-update or be patched manually within defined SLAs.

• Data Handling: Users must follow the Data Classification and Data Loss Prevention procedures when handling sensitive or proprietary data.

The IT department will maintain technical controls to prevent or detect unacceptable use and generate alerts for non-compliance.

6. Roles and Responsibilities

• CISO: Accountable for defining and updating acceptable use standards and integrating with other policy areas (e.g., HR, legal, compliance).

• IT Department: Implements, maintains, and monitors technical safeguards supporting this policy.

• Managers: Ensure their team members are aware of and comply with the policy.

• All Users: Must read, understand, and adhere to the Acceptable Use Policy and report any suspected violations or incidents.

Each user must complete mandatory information security awareness training within 30 days of hire and annually thereafter.

7. Compliance and Exceptions

Compliance with this policy will be monitored through:

• Regular reviews of access logs and user behavior analytics

• Periodic security awareness tests

• Scheduled internal audits by the Risk & Compliance team

Requests for exceptions to this policy must be submitted in writing to the CISO. Exceptions require a documented business justification, risk assessment, and approval by the Information Security Governance Committee. All approved exceptions will be tracked and reviewed semi-annually.

8. Enforcement

Violation of this policy may result in disciplinary actions in accordance with ’s HR procedures. Potential consequences include:

• Verbal and written warnings

• Revocation of system access

• Re-training or mandatory participation in awareness programs

• Termination of employment or contracts in severe or repeat cases

If the violation involves illegal activities (e.g., harassment, data theft, fraud), may report the incident to legal authorities. Enforcement will be proportional to the severity of the breach and documented in each instance.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-003: Access Control Policy

• POL-SEC-004: Password Policy

• POL-ALL-014: Information Classification Policy

• ISO/IEC 27001:2022 A.5.10 – Acceptable Use of Assets

• SOC 2 TSC CC1.4 – Communication of Responsibilities

• SOC 2 TSC CC1.5 – Responsibility for System Operations

10. Review and Maintenance

This policy will be reviewed annually or following significant changes to IT infrastructure, regulatory requirements, or security incidents. The CISO is responsible for initiating reviews and coordinating with relevant stakeholders to ensure ongoing alignment with best practices and compliance frameworks.

Updates will follow the organization’s change control procedures, and new versions will be published in the company’s policy management system with version tracking and change logs.