IT Acceptable Use Policy Template

SECTION 1: DEVICE USAGE

1.1 Company-Issued Devices
All company-issued devices (laptops, phones, tablets) must be used primarily for business purposes.
Personal use is permitted on a limited, reasonable basis provided it does not:
  - Compromise device security
  - Use excessive bandwidth or storage
  - Access inappropriate content

1.2 Device Security
Users must:
  - Keep operating systems and applications updated
  - Never disable antivirus/endpoint protection software
  - Never share devices with non-employees without IT approval
  - Lock screen when stepping away (Windows+L / Cmd+Ctrl+Q)
  - Report lost or stolen devices to IT immediately (within 2 hours)

1.3 Encryption
All company devices must have full-disk encryption enabled:
  - Windows: BitLocker
  - macOS: FileVault
  - Mobile: Enable device encryption and PIN/biometric lock

SECTION 2: INTERNET AND EMAIL USE

2.1 Acceptable Internet Use
The following is prohibited on company systems and networks:
  - Accessing pornographic, extremist, or illegal content
  - Downloading software without IT approval
  - Circumventing web filters or using anonymising proxies
  - Conducting personal business for commercial gain
  - Streaming media that consumes excessive bandwidth during business hours

2.2 Email Usage
  - Company email must only be used for business purposes
  - Do not send sensitive personal data (PII, financial data) via unencrypted email
  - Phishing emails: do not click links — report to IT via the Phish Alert Button (PAB)
  - Do not create mailing lists or mass-mail without Marketing approval
  - Auto-forwarding to personal email accounts is prohibited

2.3 Social Media
  - Do not post confidential company information on social media
  - Do not make public statements on behalf of the company without authorisation
  - Clearly state when views are personal and not those of [Company Name]

SECTION 3: DATA CLASSIFICATION AND HANDLING

3.1 Data Classification Levels
  PUBLIC: Approved for external distribution (marketing materials, published docs)
  INTERNAL: For employees only; not for external distribution
  CONFIDENTIAL: Sensitive business data; limited distribution on need-to-know basis
  RESTRICTED: Highly sensitive (PII, financial data, medical); strict access and handling required

3.2 Handling Rules by Classification
  - CONFIDENTIAL and RESTRICTED data must never be stored on personal devices
  - RESTRICTED data must be encrypted at rest and in transit
  - RESTRICTED data must not be emailed without encryption (use Virtru, Tresorit, or similar)
  - Physical documents containing RESTRICTED data must be stored securely and shredded when no longer needed

3.3 Personal Data (GDPR)
  - Personal data must only be processed for the specific purpose for which it was collected
  - Personal data must not leave the UK/EEA without appropriate safeguards
  - Requests from individuals to access, delete, or export their data must be escalated to the DPO within 24 hours

SECTION 4: BRING YOUR OWN DEVICE (BYOD)

4.1 Enrollment
Personal devices used for work must be enrolled in the company Mobile Device Management (MDM) system
before accessing company data. Contact IT to enroll your device.

4.2 Required Security Controls
Enrolled personal devices must have:
  - Minimum 6-digit PIN or biometric lock
  - Up-to-date operating system (within 1 major version of current)
  - Device encryption enabled
  - Up-to-date antivirus (iOS/Android built-in is acceptable)

4.3 Company Rights on BYOD
By enrolling a personal device, you consent to:
  - Remote wipe of COMPANY DATA ONLY (not personal data) in the event of loss or theft
  - Monitoring of corporate email and company-data access (not personal data)
  - Removal of company applications and data upon employment termination

4.4 Separation of Personal and Corporate Data
  - Company data must be accessed via company-approved apps only (not downloaded copies)
  - Do not transfer company data to personal apps (e.g. copying work files to personal Google Drive)