ACCEPTABLE USE POLICY

EXECUTIVE SUMMARY

Documented policies and procedures play an integral role in efficient and effective company operations. They are
also key to the company’s internal control environment.

By definition, a “policy” is any rule or set of rules that require or guide action. A policy should be designed to
promote the conduct of authorized activities in an effective, efficient and economical manner. It should provide a
satisfactory degree of assurance that the company's resources are suitably safeguarded. Also, any policy
formulated should conform to applicable laws and regulations and should be consistent with the mission and
philosophy of the company.

Procedures are the methods employed to carry out activities in conformity with prescribed policies. To promote
maximum efficiency and economy, prescribed procedures should be as simple as possible and should not be
overlapping, conflicting or duplicative.

All teams within a company that follow standardized procedures for operations related to specific policies
established by the company should establish a formalized policy and practice. A leading practice is to develop a
policy to create guidelines for the formulation, finalization and maintenance of the company’s formal policies and
practices.

This tool contains two sample policies that establish standards and procedures for governing the acceptable use
of technology and other information resources.

During this process, a company’s employees, contractors, interns, consultants and third-party affiliates, referred to
as “users,” are granted access to the company’s information resources for the limited and express purpose of
executing their job responsibilities. The company’s risk management group has a mission to protect and maintain
the confidentiality, integrity and availability of the company’s information resources.

This document can be used as a sample and is not meant to be an exhaustive list of procedures. Organizations
should select, update and modify the content included in this document to ensure that it reflects business
operations.

2 Source: www.knowledgeleader.com
 ACCEPTABLE USE POLICY: SAMPLE 1

Prepared By:

Approved By:

Revision Date:

Effective Date:

The following sample outlines a set of policies and procedures governing Company X's acceptable use of
technology resources.

PURPOSE

This policy outlines the acceptable use of technology resources at Company X. This document extends the
Company Resources section of the Company X team member handbook. These rules are in place to protect
Company X. Inappropriate use of technology resources can expose Company X to risks, including virus attacks,
compromise of network systems and services, and legal issues.

SCOPE

This policy applies to anyone with authorized access to the Company X technology resources, including
permanent and temporary employees or third-party personnel such as temporaries, contractors, consultants and
other parties with valid Company X access accounts. This policy applies to all equipment owned or leased by
Company X or connected to any Company X resources.

POLICY

Computer resources must be utilized consistently with the Company X ethics statement. Information Security
Services (ISS) is committed to protecting Company X technology resources from illegal or damaging actions by
individuals, whether those actions are intentional or not.

Internet, intranet and extranet-related systems, including computer equipment, software, operating systems,
storage media and network accounts, are the property of Company X. These systems must be used solely for
business purposes when serving the interests of Company X and its clients and customers in the course of
normal operations.

Effective security is a team effort involving the participation and support of every Company X employee and
affiliate who deals with information and information systems. It is the responsibility of all users to know these
guidelines and to conduct their activities accordingly.

DEFINITIONS

• Ponzi Scheme: A type of illegal pyramid scheme named after Charles Ponzi. He duped thousands of New
England residents into investing in a postage stamp speculation scheme in the 1920s. Money from new
investors is used to pay off early investors until the scheme collapses, leaving recent investors with no means
to recover their money.

3 Source: www.knowledgeleader.com
• Pyramid Scheme: In the classic “pyramid” scheme, participants attempt to make money by recruiting new
participants.
• Technology Resources: All computing, networking and software applications that authorized Company X
users can access.
• Traffic: Managing the number of users and data on a communications device or system.
• User: Anyone with authorized access to the Company X technology resources, including permanent and
temporary employees or third-party personnel such as temporaries, contractors, consultants and other parties
with valid Company X access accounts.

PROCEDURES

SECTION 1: POLICIES GOVERNING ACCEPTABLE USE OF COMPANY X RESOURCES

• Users must not expect privacy while utilizing Company X resources. Email, network and machine activity may
be monitored to protect Company X resources from abuse.
• Users must be aware that the data they create on Company X systems remains the property of Company X.
Company X has the right to access all information stored on any device belonging to Company X. This
includes personal emails, documents or communications transmitted or stored on Company X resources.
• Company X strongly discourages using Company X resources for personal use, including using Company X
resources as repositories for personal data. All use of Company X systems may be monitored.
• ISS recommends that any personal information that users consider sensitive or vulnerable be encrypted.
• Authorized individuals within Company X may monitor and access Company X facilities, systems and network
traffic at any time.
• Users are not permitted to disable security services, devices or software on any Company X resource unless
explicitly authorized by ISS.
• Company X reserves the right to audit Company X resources periodically to ensure compliance with this policy.

SECTION 2: SECURITY AND PROPRIETARY INFORMATION

Information contained on the internet, intranet or extranet-related systems will fall under established data-
sensitivity classifications for Company X data (refer to the data classification and information protection policy for
more information). For example, classes of sensitive Company X information include competitor-sensitive data,
trade secrets, customer lists, candidate information and human resources data. Users must take all necessary
steps to prevent unauthorized access to this information.

Authorized users are required to keep passwords secure and not share accounts. Passwords should be changed
in accordance with both the user password policy and the quarterly password change procedure. Abuse of any
account is the responsibility of the account owner.

When left unattended, laptops, PCs and workstations must be secured by one of the following methods:
• Incorporate a password-protected screensaver with the automatic activation feature set at 10 minutes or less.
• Lock the system (press “Ctrl-Alt-Delete” and then select the “Lock Computer” option).
• Log off the computer.

Information on portable computers is especially vulnerable; therefore, special care should be exercised to secure
those systems. Refer to the hardening standard for portable computing devices policy for more information.

Postings by users from a Company X email address or resource to newsgroups must contain a disclaimer stating
that the opinions expressed are strictly the users’ own opinion and not necessarily those of Company X.

Non-Company-X equipment brought into Company X facilities or connected to the Company X network is bound
by the third-party access policy.

4 Source: www.knowledgeleader.com
If allowed to use non-Company-X equipment, users accessing Company X technology resources must have the
following security software installed:
• Personal firewall (that limits access to and from the machine)
• Anti-virus (that has both real-time protection and scheduled virus scans)
• Spyware detection

Users must use extreme caution when opening email attachments received from unknown senders as they could
contain viruses, email bombs or malicious code. Refer to the user malicious software protection policy for more
information.

Users must not install any software on Company X resources, whether personally licensed or not. Users requiring
Company-X-approved, authorized and licensed software installation must contact desktop engineering.

Users must not install or utilize methods that circumvent the security limitations placed on them by security
services and devices. Users who need access to resources must request an exception rather than attempt to
circumvent the Company X security perimeter. Refer to the exceptions and non-conformance policy for more
information.

SECTION 3: UNACCEPTABLE USE

The activities listed below are prohibited. Some users may be exempt from these restrictions during their
legitimate job responsibilities; for example, systems administration staff may need to disable a host's network
access if that host is disrupting production services. Under no circumstances is a Company X employee
authorized to engage in any activity outside their scope of work.

The list below is not exhaustive but an attempt to provide a framework for activities falling into the category of
Unacceptable Use. If users are uncertain whether an activity is acceptable, they must consult their manager and
ISS for confirmation before performing that activity.

The following activities are strictly prohibited:

• Introduce malicious programs onto Company X technology resources (viruses, worms, Trojan horses, email
bombs, etc.) or download related programs.
• Reveal your password to others or allow the use of your account by others. This includes family and other
household members when working at home or sharing “group” system accounts for ease of use (refer to the
user password policy for more information).
• Use Company X computing resources to actively procure or transmit material that violates sexual harassment
or hostile workplace laws.
• Make offers of products, items or services originating from any Company X account except within the scope of
your job.
• Breach or disrupt network communications. Security breaches and disruptions include:
− Accessing data of which the user is not an intended recipient
− Logging into a server or account that the user is not expressly authorized to access
− Excessive network traffic
− Network sniffing
− Pinged floods
− Packet spoofing
− Denial of service
− Forged routing information for malicious purposes
• Monitor networks, scan ports or scan security/vulnerability. This includes “testing” of security tools on any
Company X resources.
• Circumvent user authentication or Company X security.

5 Source: www.knowledgeleader.com
• Add music, software or video downloads from any source (unless as a part of job scope).
• Install, tunnel or circumvent software with the direct or indirect result of avoiding security services and
restrictions at Company X.
• Provide information about or lists of Company X users, customers, clients or candidates to parties outside
Company X without authorization from Company X senior management.
• Violate the rights of any person or company protected by copyright, trade secret, patent or other intellectual
property or similar laws or regulations. This includes installing or distributing “pirated” or other software
products not appropriately licensed for use by Company X.
• Copy copyrighted material, including digitization and distribution of photographs from magazines, books or
other copyrighted sources; copyrighted music; and the installation of any copyrighted software for which
Company X does not have an active license.
• Export software, technical information, encryption software or technology in violation of international or regional
export control laws. Company X management should be consulted prior to exporting any questionable
material.

SECTION 4: PROHIBITED EMAIL AND COMMUNICATIONS ACTIVITIES

The following items are strictly prohibited:
• Send unsolicited email messages, including “junk mail” or other advertising material to individuals who did not
specifically request such material (such as email spam). Marketing emails must comply with Company X’s
email protocols and etiquette document, or risk being categorized as spam or “junk mail.”
• Subscribe to or participate in any forum, distribution service or group that delivers, distributes or disseminates
illegal, inappropriate, offensive or otherwise questionable material.
• Perform any form of harassment via email, telephone or paging whether through language, frequency or size
of messages.
• Transfer, view or print materials in violation of sexual harassment or hostile workplace laws.
• Download or receive messages and attachments from untrusted or non-Company X resources that may
contain viruses and malicious programs.
• Forge email header information.
• Solicit emails for any other email address, other than that of the poster’s account, with the intent to harass or to
collect replies.
• Create or forward chain letters or other pyramid schemes of any type.
• Use unsolicited emails originating from within Company X’s networks or another internet, intranet or extranet
service providers on behalf of, or to advertise, any service hosted by Company X or connected via Company
X’s network.
• Post the same or similar non-business-related messages to many newsgroups (newsgroup spam).

SECTION 5: ENFORCEMENT
Network activities may be monitored and logged to ensure that compliance with the rules is established here and
in other ISS policies, procedures, standards and guidelines.

Any user found to have violated this policy may be subject to disciplinary action, including termination of
employment, or legal action as appropriate or both. No provision of this policy will alter the at-will nature of the
employment relationship at Company X.

SECTION 6: POLICY UPDATE AND NOTIFICATION

6 Source: www.knowledgeleader.com
Company X reserves the right to revise the conditions of this policy at any time by giving notice via the information
security policy update procedure. Users are responsible for understanding or seeking clarification of any rules
outlined in this document and for familiarizing themselves with the most current version of this policy.

SECTION 7: RELATED DOCUMENTS

• User Password Policy
• User Malicious Software Protection Policy
• Third-Party Access Policy
• Exceptions and Non-Conformance Policy
• Data Classification and Information Protection Policy
• Policy Exceptions and Non-Conformance Standard
• Hardening Standard for Portable Computing Devices
• Information Security Policy Update Procedure
• Quarterly Password Change Procedure
• Employee Handbook
• Email Protocols and Etiquette

7 Source: www.knowledgeleader.com
 ACCEPTABLE USE POLICY: SAMPLE 2

Prepared By:

Approved By:

Revision Date:

Effective Date:

PURPOSE

Company X employees, contractors, interns, consultants and third-party affiliates, hereinafter referred to as
“users,” are granted access to Company X’s information resources for the limited and express purpose of
executing their job responsibilities. Company X’s risk management group has a mission to protect and maintain
the confidentiality, integrity and availability of Company X’s information resources. Users are reminded of their
responsibility to protect Company X’s information from unauthorized disclosure or loss and to conduct themselves
morally, ethically and legally.

Unauthorized or inappropriate use of electronic communications systems causes communication, network and
systems degradation, and safety concerns. These systems represent a considerable commitment to Company X’s
resources. This policy is designed to help users understand Company X’s expectations for the use of these
information resources and assets.

Any employee who discovers a violation of this policy should notify their immediate supervisor, a human
resources representative or a manager associated with the risk management group.

SCOPE

This policy for acceptable use extends to all users who have access to Company X’s information assets.

ACCEPTABLE USE POLICY

INFORMATION ASSETS
Company X considers all aspects of its electronic systems, including all messages or files composed,
sent or received on them, to be owned information assets of Company X.

“Information asset” is defined as any data gathered, used or observed by each associate in the course of their
employment. Information includes technical, financial, personnel, staffing, payroll, computer systems, marketing,
advertising, merchandising, product, vendor, customer data, trade secrets or other similar information. This data
may be in any form, including paper documents, email, faxes, electronic instant messages, voicemail messages,
customer information (e.g., name, address, social security number, telephone number and credit card data),
advertising data, financial reports and electronic data on devices such as company computers, personal digital
assistants, Blackberry devices, mobile phones, pagers, USB flash memory devices, tape backups or other
removable media. Requests for all devices should be made via the IT equipment request form, authorized by an
acceptable approver and submitted to the help desk.

Information assets are vital to the successful operation of the company. Users accept responsibility for protecting
Company X’s information resources. They will take reasonable steps not to intentionally or inadvertently disclose

8 Source: www.knowledgeleader.com
this information or leave it unattended, either by computer screen access or in paper format where others without
a need to know, right to know and time to know may access it.

ACCOUNTABILITY
The use of company information resources and assets is based on the principle of individual accountability and
segregation of duties. Each user is personally responsible for all activities, intentional or unintentional, conducted
under their user identification code(s) or assigned information assets.

NO EXPECTATION OF PRIVACY
Except as provided by any applicable national or local law, users will have no expectation of privacy in anything
they create, store, send or receive on Company X’s information assets, and to the extent permitted by law, users
waive all privacy rights in such materials. All email and electronic records are subject to disclosure to enforcement
agencies in connection with civil litigation or regulatory investigations.

CONSENT TO MONITORING
Company X (or others acting on its behalf) maintains the right to monitor, seize, review, audit, intercept, access,
block and disclose all aspects of its electronic systems at any time and without notice or limitation for investigative
and quality-of-service issues. This includes email and other electronic messages, company-provided telephones,
internet site access, chat and newsgroup activity, and downloaded or uploaded material.

USER ID AND PASSWORD RESPONSIBILITIES

Each user’s ID and password controls access to information resources but does not imply privacy. Users should
understand that their user ID, password and other personal identification codes should not be shared or given to
any unauthorized person. Any user that shares their user ID and/or password directly violates this policy and is
subject to disciplinary action. Users will construct passwords or passphrases following the Company X standard
for password conventions.

ACCEPTABLE USE OF EMAIL AND ELECTRONIC COMMUNICATIONS SYSTEMS

Users are responsible for ensuring that email and internet tools are used efficiently and ethically, which complies
with this policy and Company X’s corporate policies.

Company X’s electronic resources, including email and the internet, must not be used to access, display, create,
transmit, receive or store the following inappropriate materials:
• Threats
• Pornographic or sexually explicit material
• Material containing derogatory content based on a protected classification (including age, religion, gender,
race, national origin, pregnancy, sexual orientation, uniformed service, protected disability status or hate-
oriented comments)
• Offensive language or material that is otherwise inappropriate or unlawful
• Discriminatory language or remarks that would constitute harassment of any type
• Junk mail and chain letters
• Conducting personal business ventures on Company X information assets

Users must exercise good judgment when using email or internet and intranet communication systems. At all
times, users have the responsibility to use company internet and intranet communication systems in a
professional, ethical and lawful manner. Communications from a Company X domain (e.g.,
yourname@CompanyX.com) must not contain information that could be perceived as offensive by another (e.g.,
derogatory expressions, jokes, slogans, cartoons, comments and/or pictures related to race, color, creed, age,
religion, sex, sexual orientation, national origin, disability or veteran status) that the owner would not want to see
distributed bearing their or Company X’s name.

9 Source: www.knowledgeleader.com
Users are not authorized to retrieve any email message unless that user is the intended recipient. Any exception
to this policy requires prior human resources approval and a legitimate business purpose.

Electronic communication systems must not be used to send or receive trade secrets, intellectual property,
confidential information or similar data without prior authorization from the information owner and only using
secure methods. Company X provides information on encryption requirements for protecting information being
conveyed outside of Company X as prescribed in Company X’s data classification standard.

Improperly licensed software installation is prohibited on corporate systems. Any non-Company X licensed
(privately/user licensed) software or freeware/shareware downloads are prohibited on corporate machines, as
they violate licensing agreements. Any unauthorized alteration to the company-maintained computing systems
configuration or networks is prohibited by the individual user.

Physical or electronic files may only be sent, received or used for business in ways consistent with their licenses,
copyrights and handling controls as described in the data classification standard. Unauthorized peer-to-peer file-
sharing software is not permitted on any Company X computer.

In order to protect Company X’s sensitive information, users are responsible for maintaining a backup of their
critical files. Users are responsible for maintaining strict controls of their information resources by locking
workstations with screensavers, lockable docking stations and cable locks. Users must maintain a clean desk by
removing sensitive information and securing it into a lockable desk or file cabinet. Any equipment or media taken
off-premises should not be left unattended or unsecured in public areas. Disposal and destruction of Company X
information must follow the appropriate company policy for information retention, data classification and controls
handling.

Users must not knowingly disable or overload any computer system or network or circumvent any system security
intended to protect the privacy or security of another user.

Company X networks, information systems and assets will be accessed over corporately approved and
standards-based connectivity technology. All internet, business-to-business and remote user access requires
management approval and must include any necessary contractual indemnity controls prior to the access grant.

Computer systems may not be connected to Company X’s network(s) without the current corporate standard anti-
virus protection. Any employee who attempts to disable, defeat or circumvent any company security facility or
propagate any virus or worm will be subject to policy enforcement actions. Users are required to comply with
actions for software patching and virus control directives as issued by the company.

ENFORCEMENT
Willful misuse, defined as a violation of this policy or other Company X corporate policies, provides grounds for
disciplinary and enforcement action. Company X reserves the right to prosecute all violations of this policy as
permitted by law. Enforcement actions may subject violators to disciplinary action, including termination, as well
as potential civil and criminal charges.

This type of violation may not be limited to this policy, but may also violate applicable laws and regulations with
additional criminal and civil sanctions attached.

10 Source: www.knowledgeleader.com
 EMPLOYEE ACKNOWLEDGEMENT

By signing below, the user acknowledges consent to monitoring and awareness that violations of this policy may
subject them to disciplinary action, including termination as well as civil and/or criminal charges.

I acknowledge that I have read and that I understand this policy.

Employee Name Printed

Signature of Employee

Date

**The company reserves the right to amend the foregoing policies, procedures and guidelines at any time for any
reason.

11 Source: www.knowledgeleader.com