# Acceptable Use Policy | Field | Value | |-------|-------| | **Document ID** | POL-005 | | **Version** | 1.0 | | **Status** | Draft — Pending approval | | **Owner** | Information Security Officer (ISO) | | **Effective Date** | _Pending approval_ | | **Review Cycle** | Annual | | **ISO 27001 Reference** | A.6.2 — Terms and conditions of employment; A.5.10 — Acceptable use | Related: [Information Security Policy](./information-security-policy.md) | [Access Control Policy](./access-control-policy.md) --- ## 1. Purpose This policy defines acceptable and unacceptable use of Tender Management System resources, data, and infrastructure by employees, contractors, and third parties. --- ## 2. Scope Applies to anyone who: - Accesses TM production, staging, or development environments - Handles TM source code, configuration, or customer/company data - Uses company-issued or personal devices to perform TM-related work - Integrates third-party services with TM APIs --- ## 3. Acceptable Use Personnel **may**: - Access systems and data required for their assigned role - Use company-approved tools for development, testing, and deployment - Store TM source code only in authorized Git repositories - Use staging environments for testing with synthetic or anonymized data - Report security concerns or suspected incidents without retaliation - Work remotely using VPN/bastion access as configured by DevOps --- ## 4. Unacceptable Use Personnel **must not**: ### 4.1 Data Handling - Copy production PII to personal devices, unauthorized cloud storage, or local unencrypted files - Share customer or company data with unauthorized persons - Use production data for development/testing without anonymization approval - Export bulk data without business justification and ISO approval ### 4.2 Credentials & Access - Share passwords, API keys, JWT tokens, or SSH keys - Commit secrets, credentials, or `.env` files with production values to Git - Use personal accounts for production system access - Bypass authentication, authorization, or audit controls - Leave privileged sessions unattended ### 4.3 Systems & Network - Install unauthorized software on production or staging servers - Run penetration tests against production without written ISO approval - Introduce malware, unauthorized scripts, or unvetted dependencies - Disable security controls (logging, rate limiting, firewalls) without approval - Mine cryptocurrency or use TM infrastructure for non-business purposes ### 4.4 Development Practices - Push directly to production branches without peer review - Deploy untested code to production - Ignore critical security scan findings without documented risk acceptance - Log passwords, tokens, or full PII in application logs ### 4.5 Third Parties - Grant vendor access beyond minimum required scope - Share API credentials with unauthorized integrators - Use unapproved AI/LLM tools to process production customer data without DPO review --- ## 5. Device and Remote Work Requirements | Requirement | Detail | |-------------|--------| | Screen lock | Enabled when unattended (≤ 5 min) | | Full-disk encryption | Required on devices accessing production | | OS updates | Security patches applied within 30 days | | Antivirus | Company-approved endpoint protection where applicable | | Public Wi-Fi | VPN required for production access | --- ## 6. Email and Communication - Do not transmit passwords or API keys via email or chat - Use approved secure channels for credential delivery - Report phishing attempts to ISO immediately --- ## 7. Monitoring and Privacy The organization reserves the right to monitor use of TM systems and company equipment to: - Detect security incidents - Ensure policy compliance - Protect information assets Monitoring is conducted in accordance with applicable privacy laws and employment agreements. --- ## 8. Consequences Violations may result in: | Severity | Consequence | |----------|-------------| | Minor / first offense | Written warning; mandatory retraining | | Moderate | Suspension of access; formal disciplinary action | | Severe (data breach, intentional misuse) | Termination; legal action; regulatory reporting | All violations involving data exposure follow the [Incident Response Plan](./incident-response-plan.md). --- ## 9. Acknowledgment All personnel must sign or electronically acknowledge this policy: - Upon onboarding (before production access is granted) - Annually thereafter - When materially updated Records retained by HR/ISO for **3 years**. --- ## 10. Document Control | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial policy | **Approval** | Role | Name | Signature | Date | |------|------|-----------|------| | ISO | _Pending_ | | | | Executive Sponsor | _Pending_ | | |