Files
tm_back/docs/security/policies/acceptable-use-policy.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

4.8 KiB

Acceptable Use Policy

Field Value
Document ID POL-005
Version 1.0
Status Draft — Pending approval
Owner Information Security Officer (ISO)
Effective Date Pending approval
Review Cycle Annual
ISO 27001 Reference A.6.2 — Terms and conditions of employment; A.5.10 — Acceptable use

Related: Information Security Policy | Access Control Policy


1. Purpose

This policy defines acceptable and unacceptable use of Tender Management System resources, data, and infrastructure by employees, contractors, and third parties.


2. Scope

Applies to anyone who:

  • Accesses TM production, staging, or development environments
  • Handles TM source code, configuration, or customer/company data
  • Uses company-issued or personal devices to perform TM-related work
  • Integrates third-party services with TM APIs

3. Acceptable Use

Personnel may:

  • Access systems and data required for their assigned role
  • Use company-approved tools for development, testing, and deployment
  • Store TM source code only in authorized Git repositories
  • Use staging environments for testing with synthetic or anonymized data
  • Report security concerns or suspected incidents without retaliation
  • Work remotely using VPN/bastion access as configured by DevOps

4. Unacceptable Use

Personnel must not:

4.1 Data Handling

  • Copy production PII to personal devices, unauthorized cloud storage, or local unencrypted files
  • Share customer or company data with unauthorized persons
  • Use production data for development/testing without anonymization approval
  • Export bulk data without business justification and ISO approval

4.2 Credentials & Access

  • Share passwords, API keys, JWT tokens, or SSH keys
  • Commit secrets, credentials, or .env files with production values to Git
  • Use personal accounts for production system access
  • Bypass authentication, authorization, or audit controls
  • Leave privileged sessions unattended

4.3 Systems & Network

  • Install unauthorized software on production or staging servers
  • Run penetration tests against production without written ISO approval
  • Introduce malware, unauthorized scripts, or unvetted dependencies
  • Disable security controls (logging, rate limiting, firewalls) without approval
  • Mine cryptocurrency or use TM infrastructure for non-business purposes

4.4 Development Practices

  • Push directly to production branches without peer review
  • Deploy untested code to production
  • Ignore critical security scan findings without documented risk acceptance
  • Log passwords, tokens, or full PII in application logs

4.5 Third Parties

  • Grant vendor access beyond minimum required scope
  • Share API credentials with unauthorized integrators
  • Use unapproved AI/LLM tools to process production customer data without DPO review

5. Device and Remote Work Requirements

Requirement Detail
Screen lock Enabled when unattended (≤ 5 min)
Full-disk encryption Required on devices accessing production
OS updates Security patches applied within 30 days
Antivirus Company-approved endpoint protection where applicable
Public Wi-Fi VPN required for production access

6. Email and Communication

  • Do not transmit passwords or API keys via email or chat
  • Use approved secure channels for credential delivery
  • Report phishing attempts to ISO immediately

7. Monitoring and Privacy

The organization reserves the right to monitor use of TM systems and company equipment to:

  • Detect security incidents
  • Ensure policy compliance
  • Protect information assets

Monitoring is conducted in accordance with applicable privacy laws and employment agreements.


8. Consequences

Violations may result in:

Severity Consequence
Minor / first offense Written warning; mandatory retraining
Moderate Suspension of access; formal disciplinary action
Severe (data breach, intentional misuse) Termination; legal action; regulatory reporting

All violations involving data exposure follow the Incident Response Plan.


9. Acknowledgment

All personnel must sign or electronically acknowledge this policy:

  • Upon onboarding (before production access is granted)
  • Annually thereafter
  • When materially updated

Records retained by HR/ISO for 3 years.


10. Document Control

Version Date Author Changes
1.0 2026-06-11 Engineering Initial policy

Approval

Role Name Signature Date
ISO Pending
Executive Sponsor Pending