WithPCI Logo
WithPCI.com

Acceptable Use Policy Template
Company Name [Company Name]
Effective Date [Date]
Version [Version Number, e.g., 1.0]
Policy Owner [CISO/IT Director]
Document Classification Confidential / Internal Use Only
Parent Policy Information Security Policy

Purpose

This Acceptable Use Policy defines the requirements and restrictions for the proper use of [Company Name]'s information technology resources, including but not limited to computer systems, networks, applications, data, email, internet access, mobile devices, and telecommunications systems. The purpose is to protect the company's technology assets, sensitive information, and reputation while promoting responsible and ethical use of IT resources. This policy aims to minimize security risks, ensure compliance with legal and regulatory requirements (including PCI DSS 4.0.1), and maintain a productive and secure working environment.

Scope

This policy applies to all individuals who access or use [Company Name]'s information technology resources, including employees, contractors, consultants, temporary staff, third-party service providers, and guests. It covers all company-owned IT resources as well as personal devices used to access company systems or data (BYOD). This policy applies regardless of location, including on-premises, remote work environments, and while traveling.

Roles and Responsibilities

Role/Group Key Responsibilities
Executive Management - Approve the Acceptable Use Policy
- Ensure adequate resources for policy implementation
- Support enforcement actions when necessary
CISO/IT Director - Develop and maintain the Acceptable Use Policy
- Oversee policy implementation and enforcement
- Review and approve exceptions
- Report significant violations to executive management
Information Security Team - Monitor compliance with the policy
- Investigate potential violations
- Provide guidance on acceptable use
- Implement technical controls to support the policy
IT Department - Configure systems to support acceptable use requirements
- Monitor system usage and report suspicious activities
- Implement technical controls (web filtering, DLP, etc.)
- Assist with investigations of potential violations
Human Resources - Incorporate the policy into employee onboarding
- Support disciplinary actions for policy violations
- Maintain records of policy acknowledgments
- Assist with policy awareness and training
Department Managers - Ensure staff understand and comply with the policy
- Report suspected violations
- Request exceptions when business needs require
- Reinforce acceptable use through leadership
All Users - Read, understand, and comply with this policy
- Complete required security awareness training
- Report suspected policy violations
- Seek clarification when uncertain about requirements

Policy Requirements

1. General Use and Ownership

  • 1.1 Business Purpose:[Company Name]'s information technology resources are provided primarily for business purposes to support the company's operational needs. Limited personal use is permitted provided it does not:

    • Interfere with job responsibilities or productivity
    • Consume significant system resources
    • Conflict with business needs
    • Violate any company policies or applicable laws
    • Create additional risk to the company

  • 1.2 Ownership and Privacy: All data created, stored, or transmitted using company systems remains the property of [Company Name]. Users should have no expectation of privacy when using company-provided IT resources.

    • [Company Name] reserves the right to monitor, access, review, copy, store, or delete any files, communications, or other data stored on or transmitted through company systems.
    • Monitoring may be conducted for security, network maintenance, policy compliance, legal proceedings, or other legitimate business purposes.
    • When required by law, [Company Name] will disclose information to legal authorities.

  • 1.3 Risk Management: Users must exercise good judgment regarding appropriate use of IT resources. When in doubt about whether an activity is permitted, users should consult their manager or the IT department.

2. Security and Proprietary Information

  • 2.1 Authentication and Access Control:

    • Users must use strong, unique passwords for all accounts according to the password requirements defined in the Access Management Policy.
    • Passwords must be kept confidential and not shared with anyone, including IT staff.
    • Multi-factor authentication must be used when available.
    • Users must lock their workstations (Ctrl+Alt+Del or Windows+L) when unattended, even for brief periods.
    • Automatic screen locking must be enabled on all devices (maximum 15 minutes of inactivity).
    • Users must not attempt to access systems or data for which they do not have authorization.

  • 2.2 Data Protection:

    • Sensitive information must be handled according to its classification as defined in the Data Protection & Encryption Policy.
    • Cardholder data (CHD) and other regulated data must be protected according to applicable compliance requirements (PCI DSS, GDPR, etc.).
    • Encryption must be used when storing or transmitting sensitive information.
    • Users must not circumvent security controls designed to protect data.
    • Sensitive information must not be stored on local drives, removable media, or unauthorized cloud services without explicit approval and appropriate security controls.

  • 2.3 Confidentiality:

    • Users must protect confidential information from unauthorized disclosure.
    • Confidential information must not be discussed in public places or with unauthorized individuals.
    • When working in public places, users must take precautions to prevent visual disclosure of sensitive information (privacy screens, careful positioning).
    • Confidential information must not be posted on social media or external websites.

3. Email and Communications

  • 3.1 Professional Communication:

    • All electronic communications must be professional, respectful, and comply with company policies.
    • Users must not create or forward content that is harassing, discriminatory, defamatory, obscene, or otherwise inappropriate.
    • Company email signatures must follow the approved format.
    • Users must not send unauthorized mass emails or chain letters.

  • 3.2 Email Security:

    • Users must exercise caution when opening email attachments or clicking on links, especially from unknown or suspicious sources.
    • Users must report suspicious emails (phishing attempts, etc.) to the IT Security team.
    • Sensitive information sent via email must be encrypted or password-protected.
    • Auto-forwarding of company email to external accounts is prohibited without explicit approval.
    • Users must not use personal email accounts for company business.

  • 3.3 External Communications:

    • Only authorized individuals may communicate with the media or make public statements on behalf of the company.
    • Users must not make statements that could damage the company's reputation.
    • Social media use must comply with the company's Social Media Policy.
    • Confidential information must not be disclosed in public forums or social media.

4. Internet Usage

  • 4.1 Acceptable Internet Use:

    • Internet access is provided primarily for business purposes.
    • Limited personal use is permitted provided it does not violate other aspects of this policy or interfere with business operations.
    • Streaming media for non-business purposes should be limited to avoid network congestion.
    • Users must comply with all applicable laws and regulations when using the internet.

  • 4.2 Prohibited Activities:

    • Accessing, downloading, or distributing materials that are illegal, inappropriate, offensive, or potentially harmful to the company's systems or reputation.
    • Circumventing security controls, including web filtering or proxy servers.
    • Using company internet resources for unauthorized commercial activities, personal gain, or political activities.
    • Downloading or using unauthorized software.
    • Conducting unauthorized vulnerability scans, penetration tests, or other security assessments.
    • Participating in online gambling, gaming, or cryptocurrency mining.

  • 4.3 Monitoring:

    • Internet usage may be monitored and logged.
    • Web filtering may be implemented to block access to inappropriate or high-risk websites.
    • Excessive or inappropriate internet usage may be reported to management.

5. Mobile Devices and Remote Access

  • 5.1 Mobile Device Security:

    • Mobile devices (laptops, tablets, smartphones) used to access company resources must be secured with:
      • Strong passwords/PINs or biometric authentication
      • Encryption
      • Automatic screen locking
      • Remote wipe capability where applicable
    • Lost or stolen devices must be reported immediately to IT Security.
    • Company data must be backed up regularly.
    • Users must keep devices updated with the latest security patches.

  • 5.2 Remote Access:

    • Remote access to company resources must use approved secure methods (VPN, etc.).
    • Users must not connect to company resources from unsecured public networks without using VPN.
    • Remote access credentials must not be shared.
    • Users must ensure their home networks are secured with strong passwords and encryption.
    • Remote work environments must maintain the same level of security and confidentiality as on-site locations.

  • 5.3 Bring Your Own Device (BYOD):

    • Personal devices used for company business must comply with the BYOD Policy.
    • Company data on personal devices remains the property of [Company Name].
    • [Company Name] reserves the right to remotely wipe company data from personal devices if necessary.
    • Users must separate personal and company data where possible.
    • Personal devices must meet minimum security requirements before accessing company resources.

6. Software and Hardware

  • 6.1 Authorized Software:

    • Only approved software may be installed on company systems.
    • All software must be properly licensed and used in accordance with license agreements.
    • Users must not install software without appropriate authorization.
    • Software must be obtained from trusted sources.
    • Open source or free software must be approved before use.

  • 6.2 Hardware:

    • Users must not connect unauthorized hardware (USB drives, external hard drives, etc.) to company systems without approval.
    • Hardware must not be removed from company premises without authorization.
    • Users must report damaged, lost, or stolen hardware promptly.
    • Hardware must be returned upon termination of employment or contract.

  • 6.3 Updates and Maintenance:

    • Users must allow security updates to be installed promptly.
    • Users must not disable or circumvent automatic updates.
    • Users must report any system issues or malfunctions promptly.

7. Prohibited Activities

The following activities are strictly prohibited:

  • 7.1 Unauthorized Access:

    • Attempting to gain unauthorized access to systems, data, or facilities.
    • Using another user's credentials or identity.
    • Sharing credentials with others, including colleagues.
    • Exceeding authorized access privileges.

  • 7.2 Malicious Activities:

    • Introducing malware, viruses, or other malicious code.
    • Disrupting or denying service to systems or networks.
    • Circumventing security controls or monitoring.
    • Conducting unauthorized security testing or scanning.

  • 7.3 Inappropriate Content:

    • Creating, accessing, or distributing offensive, harassing, discriminatory, or illegal content.
    • Accessing pornography, hate speech, or violent content.
    • Sending threatening or harassing communications.

  • 7.4 Intellectual Property Violations:

    • Infringing on intellectual property rights.
    • Using unlicensed or pirated software.
    • Unauthorized copying or distribution of copyrighted materials.

  • 7.5 Resource Misuse:

    • Using excessive system resources for non-business purposes.
    • Using company resources for personal gain or commercial activities.
    • Using company resources for political campaigns or activities.
    • Cryptocurrency mining or other resource-intensive activities.

8. Compliance and Reporting

  • 8.1 Policy Compliance:

    • All users must comply with this Acceptable Use Policy.
    • Compliance will be verified through monitoring, audits, and reviews.
    • Users must complete security awareness training that includes acceptable use.
    • New employees must acknowledge this policy during onboarding.
    • All users must re-acknowledge this policy annually.

  • 8.2 Reporting Violations:

    • Users must report suspected policy violations to their manager, IT Security, or through the company's reporting hotline.
    • Reports will be treated confidentially to the extent possible.
    • [Company Name] prohibits retaliation against anyone who reports suspected violations in good faith.

  • 8.3 Exceptions:

    • Exceptions to this policy must be documented and approved by the CISO/IT Director.
    • Exceptions must include a business justification, risk assessment, and time limitation.
    • Exceptions involving high risks may require executive management approval.
    • All exceptions must be reviewed periodically.

Enforcement

  • Violations of this Acceptable Use Policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with [Company Name]'s HR policies and procedures.
  • Depending on the nature and severity of the violation, additional consequences may include:
    • Temporary or permanent revocation of system access
    • Removal of BYOD privileges
    • Legal action
    • Reporting to law enforcement or regulatory authorities
  • The company reserves the right to hold users personally liable for any costs, damages, or liabilities incurred as a result of policy violations.

Revision History

Version Date Author Change Details
1.0 [Date] [Author Name] Initial policy release
[Ver #] [Date] [Author Name] [Summary of changes]

Approval

Name Title Signature Date
[Exec Name] [Executive Title, e.g., CIO] [Date]
[CISO Name] [CISO/IT Director Title] [Date]

Appendix A: User Acknowledgment Form

I, ________________________, acknowledge that I have read and understand [Company Name]'s Acceptable Use Policy. I agree to comply with all requirements and restrictions outlined in the policy.

I understand that:

  • [Company Name]'s information technology resources are primarily for business purposes.
  • I have no expectation of privacy when using company systems.
  • My activities on company systems may be monitored.
  • Violations of this policy may result in disciplinary action, up to and including termination.

Employee/Contractor Signature: ________________________

Date: ________________________

Appendix B: PCI DSS 4.0.1 Requirements Mapping

PCI DSS Requirement Policy Section(s) Covering Requirement Key Elements Addressed
Req 2.2.7 Section Req 2.1, Req 5.1, Req 6.1, Req 6.3 Ensure security policies and operational procedures for managing vendor defaults and security parameters are documented, in use, and known to all affected parties.
Req 5.1.1 Section Req 6.3 Anti-malware mechanisms are deployed and maintained to protect systems from malware.
Req 6.4.2 Section Req 2.2 Production data (live PANs) are not used for testing or development.
Req 7.2.1 Section Req 2.1, Req 7.1 Access to system components and data is limited to only those individuals whose jobs require such access.
Req 7.2.2 Section Req 2.1 Access is assigned based on job classification and function.
Req 8.2.1 Section Req 2.1 User identification and related accounts for users and administrators are uniquely assigned.
Req 8.2.2 Section Req 2.1 Strong authentication for users and administrators is established and managed.
Req 8.3.6 Section Req 2.1 Accounts used by third parties to access, support, or maintain system components via remote access are managed.
Req 8.6.1 Section Req 2.1 If passwords/passphrases are used as authentication factors, they are set and reset for each user.
Req 8.6.2 Section Req 2.1 If passwords/passphrases are used as authentication factors, they meet minimum strength requirements.
Req 8.6.3 Section Req 2.1 Passwords/passphrases are protected against misuse.
Req 9.4.6 Section Req 5.1, Req 5.2 Security controls are implemented for mobile and/or employee-owned devices that store, process, or transmit account data or could impact the security of the CDE.
Req 12.3.1 Section Req 8.1, Req 8.2 Security policies are documented and maintained.
Req 12.3.4 Section Req 8.1 Security policy and procedures clearly define information security responsibilities for all personnel.
Req 12.6.1 Section Req 8.1 A formal security awareness program is implemented to make all personnel aware of the importance of cardholder data security.

Appendix C: Examples of Prohibited Activities

The following examples illustrate prohibited activities but are not exhaustive:

  1. Unauthorized Access

    • Using a colleague's credentials to access their email or files
    • Attempting to bypass access controls to access restricted systems
    • Sharing your password with IT support staff or colleagues

  2. Malicious Activities

    • Installing keyloggers or other monitoring software
    • Sending phishing emails to colleagues to test their awareness without authorization
    • Deliberately causing system crashes or network disruptions

  3. Inappropriate Content

    • Storing or viewing pornographic material on company devices
    • Sending emails containing offensive jokes or discriminatory comments
    • Creating or distributing content that could create a hostile work environment

  4. Intellectual Property Violations

    • Installing pirated software on company devices
    • Downloading and using copyrighted images without permission
    • Sharing proprietary company information on public forums

  5. Resource Misuse

    • Using company servers to host a personal website
    • Setting up cryptocurrency mining software on company computers
    • Using company email for extensive personal business activities
    • Streaming non-work-related videos during business hours, consuming significant bandwidth

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy