12.2.1 Acceptable use policies for end-user technologies are documented and implemented, including:

Defined Approach Requirements

12.2.1 Acceptable use policies for end-user technologies are documented and implemented, including:

• Explicit approval by authorized parties.
• Acceptable uses of the technology.
• List of products approved by the company for employee use, including hardware and software.

Customized Approach Objective

The use of end-user technologies is defined and managed to ensure authorized usage.

Applicability Notes

Examples of end-user technologies for which acceptable use policies are expected include, but are not limited to, remote access and wireless technologies, laptops, tablets, mobile phones, and removable electronic media, email usage, and Internet usage.

Defined Approach Testing Procedures

12.2.1 Examine the acceptable use policies for end-user technologies and interview responsible personnel to verify processes are documented and implemented in accordance with all elements specified in this requirement.

Purpose

End-user technologies are a significant investment and may pose significant risk to an organization if not managed properly. Acceptable use policies outline the expected behavior from personnel when using the organization's information technology and reflect the organization's risk tolerance.

These policies instruct personnel on what they can and cannot do with company equipment and instruct personnel on correct and incorrect uses of company Internet and email resources. Such policies can legally protect an organization and allow it to act when the policies are violated.

Good Practice

It is important that usage policies are supported by technical controls to manage the enforcement of the policies.

Structuring polices as simple "do" and "do not" requirements that are linked to a purpose can help remove ambiguity and provide personnel with the context for the requirement.

Definitions

Acceptable use policies define the requirements for how end users may use company-owned technology resources, including computers, devices, and network access.