Version: April 2025
Applies to: All employees, contractors, and third-party users
Aligned with: ISO/IEC 27001:2022 – A.5.10, A.6.2, A.7.4, A.8.x, A.5.36

Purpose

To protect users and the organization from digital risks and legal exposure due to misuse of IT systems, devices, and data.

1. Scope

Applies to:
- All devices, systems, and network services used for company business — regardless of ownership
- All users accessing company networks or systems (employees, contractors, consultants, etc.)

2. General Use Guidelines

• Company data remains company property, regardless of where it's stored
• Use data/systems only as needed for your job
• Report any theft, loss, or unauthorized disclosure immediately
• Personal use is allowed within reason — subject to department rules
• All company systems may be monitored or audited at any time

3. Security Requirements

All devices must comply with the Minimum Access and Password Policies.

Devices must:
- Use password-protected screen locks (auto-lock: ≤10 mins)
- Be logged off or locked when unattended

Additional Requirements:
- Sharing passwords or account access is prohibited
- Use caution when opening unknown email attachments
- All mobile devices connecting to company networks must meet internal compliance standards

4. Unacceptable Use (Examples)

You must not:

Network Misuse
- Install pirated or unlicensed software
- Distribute copyrighted media without permission
- Access systems/accounts without business purpose
- Export encryption/technical info in breach of laws
- Spread malware (e.g., viruses, ransomware)
- Share passwords (even with family)
- Disrupt services (e.g., DoS attacks, brute-force attempts)
- Use port/network scanning tools without InfoSec approval
- Set up honeypots/honeynets
- Run network monitoring unless required by role

Email & Communication
- Send spam, chain letters, or pyramid schemes
- Forge email headers or impersonate others
- Use email/phone to harass or intimidate
- Advertise or solicit without approval
- Post unsolicited company-related content on public forums
- Use company networks to spread non-business messages

Blogging & Social Media
- Blog or post anything that reveals confidential data
- Use company branding or trademarks without permission
- Express personal opinions as if on behalf of the company
- Engage in defamatory, harassing, or discriminatory behavior
- Tarnish the reputation of the company or its employees

All posts must follow legal, IP, and company conduct policies

5. Enforcement & Sanctions

Policy breaches may result in:
- Refresher training or written warnings
- Suspension of access rights
- Termination of contract or employment
- Legal consequences for unlawful behavior

Enforcement is proportionate, impartial, and follows internal HR/legal procedures.