1. Purpose
This policy establishes how [Business Name] expects employees, contractors, and other authorized users to use business systems, networks, devices, and data.
The policy serves three goals:
- Establish expectations. Users know what they're expected to do and not do. Clear expectations protect both [Business Name] and the users.
- Reduce risk. Many security incidents originate in user actions that could have been prevented by clear expectations. The policy reduces this risk by being explicit about acceptable practices.
- Support compliance evidence. Customer questionnaires, audits, and regulatory inquiries routinely ask about user-facing security policies. This policy is what those parties are asking for.
This is the policy employees encounter most often. It directly affects daily work and is the basis for many specific procedures and practices.
2. Scope
This policy applies to:
- All employees, contractors, vendor staff, and other authorized users of [Business Name] systems, networks, devices, or data
- All use of business systems, including from primary offices, remote work locations, customer sites, and personal devices used for business purposes
- All forms of business information regardless of format or storage location
- Use of personal devices for business purposes under approved BYOD arrangements
The policy covers normal business use and is supplemented by specialized policies (Email and Web Use Policy, Remote Work and Mobile Device Policy) for specific domains.
3. Definitions
- Business systems. Any system [Business Name] uses for business operations, including business email, cloud services, financial systems, customer data systems, and IT infrastructure.
- Business data. Any data created, processed, stored, or transmitted by [Business Name] in the course of business, including customer data, employee data, financial information, and intellectual property.
- Business networks. [Business Name]'s wired and wireless networks, including any VPN connections to [Business Name] resources.
- Authorized user. Any individual granted access to [Business Name] systems, data, or networks by [Business Name].
- Acceptable use. Use that supports legitimate business purposes within the constraints established by this policy.
- Personal use. Use of business resources for non-business purposes.
4. Policy Statements
4.1 General Expectations
Authorized users are expected to:
- Use business systems, networks, and data only for legitimate business purposes
- Protect business information consistent with its classification
- Use the access granted to them and not seek or use access beyond what's been granted
- Report suspected security incidents promptly
- Follow the procedures referenced in this and other policies
- Treat business systems and data with the same care expected for similar matters in a professional context
The policy is not a list of every prohibited action; it establishes the expectations that govern user behavior. When in doubt about whether specific use is appropriate, users should ask their manager or [Information Security Lead].
4.2 Account Use
Users authenticate to business systems using their assigned accounts. Specifically:
- Account credentials are not shared with anyone, including coworkers, family members, support staff, or vendors
- Users do not allow others to use their authenticated sessions (including leaving workstations unlocked when stepping away)
- Users do not use accounts assigned to other users
- Users do not create or use accounts that have not been provisioned through the standard process
- Multi-factor authentication is configured and used on all required systems (per the Password and Authentication Policy)
If a user suspects their account has been compromised, they report immediately to [Information Security Lead].
Sample ends here · §4.3 onward continues in the full template