Acceptable Use Policy

1. Introduction

1.1. Purpose

This Acceptable Use Policy (AUP) establishes the mandatory rules for the acceptable use of [Company Name]‘s information systems and information assets. Its core purpose is to safeguard the confidentiality, integrity, and availability of these critical assets, ensuring the company’s digital operational resilience.
Furthermore, this AUP is positioned not merely as a set of rules but as a proactive risk mitigation tool. It serves as a foundational document, integrating with existing internal policies such as the Information Classification Policy, Information Transfer Policy, Incident Handling Policy, Information Security Policy, and Security Policy for Human Resources. By clearly defining expectations for user behavior and outlining consequences, the AUP acts as a primary preventative control, significantly reducing the likelihood of human error or malicious insider activity leading to incidents. This approach moves beyond simple regulatory adherence to actively minimizing ICT risks.

1.2. Statement and Objectives

This policy defines the acceptable and unacceptable use of [Company Name]‘s information systems, networks, applications, and all associated information assets by all personnel. Its primary objective is to protect the confidentiality, integrity, and availability of these assets, ensuring a secure and productive working environment. The policy aims to provide clear guidelines that empower users to act responsibly while safeguarding the organization’s digital infrastructure.
The specific objectives of this AUP include:

Ensuring compliance with legal, regulatory, and contractual obligations.
Mitigating risks associated with misuse, unauthorized access, data breaches, and other security incidents.
Promoting a culture of security awareness, responsibility, and ethical conduct among all users.
Defining clear expectations for user behavior to safeguard company resources and maintain operational resilience.
Providing a framework for consistent monitoring, enforcement, and disciplinary action in case of violations.

The emphasis on access being a “privilege, not a right,” coupled with the focus on legal compliance, transforms this AUP from a simple guideline into a critical legal instrument.
Beyond merely listing rules, this AUP aims to foster a specific organizational culture. The objective of “promoting a culture of security awareness, responsibility, and ethical conduct” is explicitly mentioned in the context of compliance.

1.3. Scope

This policy applies to all individuals who access, use, or manage [Company Name]‘s information systems and assets, including but not limited to:

All employees (permanent, temporary, part-time).
Contractors, consultants, and third-party service providers.
Interns and volunteers.
Any other authorized users of [Company Name]‘s resources.

The policy covers all information systems and information assets, regardless of their location (on-premises, remote, cloud-based) or ownership (company-issued or approved personal devices used for company business, where applicable). This comprehensive coverage ensures that security standards are consistently applied across the entire digital footprint of the organization. This includes, but is not limited to:

Hardware (e.g., laptops, desktops, mobile devices, servers, networking equipment).
Software (e.g., operating systems, applications, databases).
Networks (e.g., internal networks, internet access, wireless connections).
Data and Information (e.g., electronic files, physical documents, intellectual property).
Communication services (e.g., email, instant messaging, video conferencing).

The scope section implicitly broadens the traditional view of what constitutes an “asset.” The policy explicitly covers “all associated information assets,” including “intangible items like trade secrets and intellectual property”. This extends beyond merely physical hardware and software.

1.4. Underlying Principles

The following principles underpin the acceptable use of [Company Name]‘s information systems and assets:

Privilege, Not Right: Access to [Company Name]‘s information systems and assets is a privilege, not an inherent right. This privilege can be revoked at any time for violations of this policy or other company policies.
Responsibility and Accountability: Users are personally responsible and accountable for their actions when using company resources and for protecting the information assets entrusted to them.
Ethical Conduct: All use of company resources must be consistent with ethical standards, professional conduct, and [Company Name]‘s values.
Business Purpose: Company resources are provided primarily for legitimate business purposes. Limited personal use may be permitted as per specific guidelines, provided it does not interfere with work, consume excessive resources, or violate any other policy provisions.

2. Definitions

To ensure clarity and consistent understanding, the following terms used:

Acceptable Use Policy (AUP): A formal set of guidelines established by [Company Name] defining the conditions under which access to its information systems and assets is granted, specifying permitted, restricted, or prohibited behaviors.
Information Assets: Any information or information system that has value to [Company Name]. This includes, but is not limited to, hardware, software, data (electronic and physical), networks, intellectual property, and communication services.
Information Systems (ICT Systems): Network and information systems supporting the business processes of [Company Name], encompassing all hardware, software, and network infrastructure used for processing, storing, or transmitting information.
ICT-related Incident: Any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialized, may compromise the security of the network and information systems, of any technology dependent tool or the process.
Sensitive Information: Information classified by [Company Name] as requiring specific protection due to its confidentiality, integrity, or availability requirements, as defined in the Information Classification Policy.
Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to computer systems.
Endpoint Devices: Software or hardware assets in the network and information systems used by [Company Name], including laptops, desktops, mobile phones, and other user devices.
Teleworking/Remote Working: The arrangement where personnel perform their duties from a location outside of [Company Name]‘s official premises, including home offices.
ICT Third-Party Service Provider: An undertaking providing ICT services to financial entities.
Intellectual Property Rights (IPR): Legal rights protecting creations of the mind, such as copyrights, trademarks, patents, and trade secrets.

3. General Acceptable Use Guidelines

3.1. Compliance with Laws and Regulations

All personnel must strictly adhere to all applicable national, international, and local laws, regulations, and contractual obligations when using [Company Name]‘s information systems and assets. This includes, but is not limited to, data protection laws (e.g., GDPR), intellectual property laws, and specific financial sector regulations. Any activity that is illegal or promotes illegal conduct is strictly prohibited. This emphasizes that organizational policies do not supersede legal requirements, and users are bound by both.

3.2. Information Security Policy Adherence

This AUP is an integral part of [Company Name]‘s overarching Information Security Policy. All personnel must familiarize themselves with and comply with the Information Security Policy and all related security procedures and protocols. This ensures a consistent and unified approach to information security across the organization.
The AUP functions as a subordinate yet critical component of the broader Information Security Management System (ISMS). This implies a hierarchical structure where the Information Security Policy sets the strategic direction for the ISMS, and the AUP provides the operational rules for user behavior, translating high-level objectives into actionable guidelines.

3.3. Information Classification and Handling

Personnel must handle all information assets in accordance with [Company Name]‘s Information Classification Policy. Data must be classified based on its sensitivity, value, and criticality, and appropriate safeguards applied as per its classification level.
This includes:

Storing sensitive information only in approved, secure locations.
Restricting access to sensitive information to authorized individuals only.
Ensuring that sensitive information is not disclosed to unauthorized individuals or entities, whether intentionally or unintentionally.
Adhering to data encryption standards where required.

3.4. Intellectual Property Rights (IPR)

Personnel must respect and protect [Company Name]‘s intellectual property rights, including copyrights, trademarks, patents, and trade secrets. This also extends to respecting the IPR of third parties. Protecting IPR is vital for maintaining competitive advantage and legal standing.
Prohibited activities include:

Unauthorized reproduction, distribution, or use of copyrighted materials, software, or media.
Installation or use of unlicensed software on company systems.
Misappropriation of trade secrets or proprietary information.

Personnel must only procure software and media from verified vendors and maintain records of licenses and usage terms.

4. Specific Acceptable Use Guidelines for Information Systems and Assets

4.1. User Endpoint Devices

4.1.1. Secure Configuration and Use

All company-issued endpoint devices (laptops, desktops, mobile phones) must be registered and configured according to [Company Name]‘s secure configuration baselines. Personnel must not install unauthorized software programs on company devices, adhering to strict controls over the software environment. Physical protection of devices is mandatory; devices must not be left unsupervised and should be secured with physical measures (e.g., key locks) and technical measures (e.g., strong passwords, screen locks, inactivity timers) when not in use. Users must log out of services or terminate sessions when no longer needed to prevent unauthorized access.

4.1.2. Use of Personal Devices (BYOD)

The use of privately-owned equipment for company business should be explicitly authorized and managed through specific policies to control security risks. Where authorized, personnel must consent to physical safeguarding, essential software updates, and acknowledge no ownership rights over company data on personal devices. Technical controls, such as segregation capabilities or virtual desktop access, must be in place to separate personal and business use of devices and protect company information.

4.1.3. Use in Public Spaces

Personnel must exercise extra caution when using endpoint devices containing sensitive data in public places or insecure environments (e.g., hotel rooms, public transport) to prevent unauthorized viewing or theft. Location-tracking tools and remote wipe capabilities should be enabled on company-issued mobile devices where feasible, allowing for device recovery or data protection in case of loss or theft.
The “human firewall” is as critical as technical controls for device security. While technical controls like screen locks, inactivity timers, and remote wipe capabilities are important, the emphasis on user responsibility is pervasive. Personnel are explicitly instructed not to leave devices unsupervised, to exercise extra caution in public places, and to adhere to manufacturer instructions for physical protection against environmental factors.

4.2. Software and System Use

4.2.1. Authorized Software Installation

Only authorized software, approved by [Company Name]‘s IT department, may be installed in ICT systems and endpoint devices. This control prevents the introduction of unvetted or malicious software. Personnel must not attempt to circumvent security measures or install unauthorized applications, including freeware, shareware, or pirated software. Software updates and patches must be applied promptly as directed by IT, only after successful testing, and in line with change management procedures to maintain system integrity and security.

4.2.2. Protection Against Malicious Code

Personnel must take all necessary precautions to protect against malicious code (malware), including using company-provided antivirus/anti-malware solutions, exercising caution with email attachments and suspicious links, and reporting any suspected infections immediately. Access to potentially malicious or dangerous websites or services should be blocked or managed through web filtering and allowlisting where appropriate, to prevent drive-by downloads and other web-based threats.

4.2.3. Secure Configuration Baselines

All information systems and ICT assets must adhere to [Company Name]‘s secure configuration baselines to minimize exposure to vulnerabilities. These baselines define the minimum-security settings required for all systems. Personnel must not alter system configurations without proper authorization, ensuring that security settings are maintained consistently.

4.3. Network and Internet Access

4.3.1. Acceptable Internet Use

Internet access is provided primarily for business purposes. Limited, reasonable personal use is permitted provided it does not interfere with work, consume excessive bandwidth, or violate any other policy. Personnel must not access, download, or distribute illegal, offensive, or inappropriate content, ensuring a professional and legally compliant online environment.

4.3.2. Web Filtering

[Company Name] employs web filtering controls to prevent access to malicious or inappropriate websites, including those known or suspected to contain malware, command and control servers, or illegal content. Personnel must not attempt to bypass web filtering mechanisms, as these are critical security controls. Training will be provided on safe web usage and the process for requesting access to restricted websites for legitimate business reasons, balancing security with operational needs.

4.3.3. Network Abuse

Prohibited activities include, but are not limited to, attempting to gain unauthorized access to systems or accounts, engaging in network scanning or probing, or intentionally disrupting network services. Use of public communication services must gain permission, and stricter authentication methods should be employed when sending data via public networks to safeguard sensitive information.
The policies around web filtering and internet use reflect a necessary tension between enabling productivity and preventing threats.

4.4. Information Transfer and Storage

4.4.1. Secure Information Transfer

All transfers of [Company Name]‘s information, whether electronic (e.g., email, cloud sharing), physical (e.g., USB drives, paper documents), or verbal (e.g., phone calls, meetings), must adhere to the Information Transfer Policy and established security measures. This includes using encryption for sensitive electronic transfers 25, secure packaging for physical media, and conducting confidential discussions in secure, soundproofed environments. Personnel must verify recipients’ identities and avoid sending sensitive information to incorrect addresses. Automated forwarding of sensitive information to external addresses is restricted to prevent unintended disclosure.

4.4.2. Use of Removable Storage Media

Removable data storage devices (e.g., USB drives, external hard drives) should only be used where residual ICT risk is acceptable and in accordance with company policy. Monitoring of information transfer to removable media is required to detect unauthorized data exfiltration. Sensitive data on removable media must be encrypted to protect its confidentiality.

4.4.3. Data Loss and Leakage Prevention (DLP)

Personnel must implement security measures to prevent data loss and leakage for systems and endpoint devices. This includes adherence to DLP tools and policies, restrictions on printing sensitive information, taking unauthorized screenshots, or video streaming of screens. Personnel are strictly prohibited from disclosing sensitive information to unauthorized individuals or entities.

4.5. Authentication Information

Personnel are responsible for safeguarding their authentication information (e.g., passwords, cryptographic keys, tokens, biometrics) and must not share it with anyone. This personal responsibility is foundational to account security.

4.5.1. Password Management

Passwords must be managed according to Password Policy.

4.5.2. Secure Transmission and Storage

Authentication information must be transmitted and stored through secure channels and formats. Plain text transmission is strictly prohibited to prevent interception.
Strong authentication is a critical enabler for digital operational resilience, as weak authentication is a primary vector for cyberattacks.

4.6. Remote Working

Personnel engaged in remote working activities must adhere to the Remote Working Policy, ensuring secure access to information systems and networks from non-company premises. This ensures consistency in security regardless of work location.

4.6.1. Physical Environment

Remote working environments must maintain physical security rules, including clear desk and clear screen policies to protect information from unauthorized viewing. Confidential information (physical or digital) must be stored in lockable storage, and sensitive printouts securely shredded, especially for home workers.

4.6.2. Equipment and Communication

[Company Name] will supply suitable equipment and storage furniture for remote working activities, generally forbidding the use of privately-owned equipment not under its control. Device screen locks and inactivity timers must be enabled for remote access. Enabling device location tracking is possible on company-issued devices to aid in recovery or data wiping if lost or stolen.

5. Incident Reporting and Response

5.1. Reporting Information Security Events

All personnel have an obligation to promptly report any observed or suspected information security events, weaknesses, or incidents through the appropriate channels established by [Company Name]. This includes anomalous behavior, system malfunctions, access violations, suspected malware infections, or any deviation from security policies. The reporting system should be straightforward, accessible, and available to all personnel.

5.2. Incident Handling and Management

Reported information security events will be handled in accordance with [Company Name]‘s Incident Handling Policy. A dedicated incident response team, with the required competency, will manage each incident through defined processes including detection, triage, prioritization, analysis, containment, mitigation, recovery, and post-incident review. Communication regarding incidents will adhere to established protocols, ensuring timely and accurate information sharing with relevant internal and external stakeholders on a “need to know” basis.

5.3. Collection of Evidence

In the event of an information security incident, evidence related to the event will be identified, collected, acquired, and preserved in a consistent and effective manner, in accordance with [Company Name]‘s Incident Handling Policy and applicable legal requirements. This process ensures that evidence is admissible for disciplinary actions, internal investigations, or potential legal proceedings. Personnel involved in evidence collection will be appropriately trained and qualified.

5.4. Learning from Incidents

Following the resolution of information security incidents, a thorough post-incident review will be conducted to analyze the root cause, assess response effectiveness, and identify areas for improvement. Lessons learned from each incident will be documented, communicated to relevant stakeholders, and integrated into updated policies, procedures, and training programs to prevent recurrence and enhance overall security posture.

6. Monitoring, Enforcement, and Consequences

6.1. Monitoring and Auditing

[Company Name] reserves the right to monitor, audit, and log all activities on its information systems and networks, including internet usage, email communications, and file transfers, to ensure compliance with this AUP and other company policies. Such monitoring will be conducted in accordance with applicable laws and regulations, respecting employee privacy where legally required.

6.2. Disciplinary Process

A formal disciplinary process is established and communicated to all personnel to address violations of this AUP and other information security policies. Disciplinary actions will be applied consistently, fairly, and in proportion to the severity and nature of the violation, taking into account all relevant legal, legislative, regulatory, contractual, and corporate obligations.

6.3. Consequences of Violations

Violations of this AUP may result in a range of consequences, including but not limited to:

Verbal or written warnings.
Suspension or revocation of access to information systems and assets.
Mandatory retraining.
Disciplinary action, up to and including termination of employment or contract.
Legal action, where applicable, to recover damages or enforce compliance.

7. Communication and Awareness

7.1. Policy Communication and Training

This AUP will be communicated to all personnel through multiple channels, including onboarding processes, internal communications (e.g., email, intranet), and regular training sessions. Training will ensure that all employees and relevant stakeholders are aware of and understand the acceptable use policies, their responsibilities, and the importance of adhering to them. Regular refreshers and updates will be provided to keep the policies top-of-mind and reflect evolving threats and technologies.

7.2. User Acknowledgement

All personnel are required to explicitly acknowledge their understanding of, and agreement to comply with, this Acceptable Use Policy. This acknowledgment may be obtained through signed consent forms, click-wrap acceptance during system login, or periodic reaffirmation procedures.
Documented user acknowledgment is crucial for legal enforceability and demonstrating due diligence. In the event of a policy violation or a security incident, documented acknowledgment provides clear evidence that the individual was aware of their obligations and the potential consequences of non-compliance.

8. Policy Review and Maintenance

This Acceptable Use Policy will be reviewed and updated regularly, at least annually, or more frequently as necessitated by changes in legal or regulatory requirements (e.g., DORA updates), technological advancements, organizational structure, or identified risks and incidents. Feedback from incident reviews, audits, and employee suggestions will be incorporated to ensure the policy remains relevant, effective, and aligned with [Company Name]‘s evolving security posture.

9. References

CDR 2024-1774 Article 11(2) and Article 19(b)
ISO/IEC 27001 standard, controls A.5.9, A.5.10, A.5.11, A.5.14, A.5.17, A.5.32, A.6.7, A.7.7, A.7.9, A.7.10, A.8.1, A.8.7, A.8.10, A.8.12, A.8.13, A.8.19, and A.8.23
Information Classification Policy
Information Transfer Policy
Incident Handling Policy

CHAPTER I

CHAPTER II

CHAPTER III

CHAPTER IV

CHAPTER V

CHAPTER VI

CHAPTER VII

CHAPTER VIII

CHAPTER IX

TITLE I

TITLE II

TITLE III

TITLE IV