Files
tm_back/docs/security/policies/acceptable-use-policy.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

159 lines
4.8 KiB
Markdown

# Acceptable Use Policy
| Field | Value |
|-------|-------|
| **Document ID** | POL-005 |
| **Version** | 1.0 |
| **Status** | Draft — Pending approval |
| **Owner** | Information Security Officer (ISO) |
| **Effective Date** | _Pending approval_ |
| **Review Cycle** | Annual |
| **ISO 27001 Reference** | A.6.2 — Terms and conditions of employment; A.5.10 — Acceptable use |
Related: [Information Security Policy](./information-security-policy.md) | [Access Control Policy](./access-control-policy.md)
---
## 1. Purpose
This policy defines acceptable and unacceptable use of Tender Management System resources, data, and infrastructure by employees, contractors, and third parties.
---
## 2. Scope
Applies to anyone who:
- Accesses TM production, staging, or development environments
- Handles TM source code, configuration, or customer/company data
- Uses company-issued or personal devices to perform TM-related work
- Integrates third-party services with TM APIs
---
## 3. Acceptable Use
Personnel **may**:
- Access systems and data required for their assigned role
- Use company-approved tools for development, testing, and deployment
- Store TM source code only in authorized Git repositories
- Use staging environments for testing with synthetic or anonymized data
- Report security concerns or suspected incidents without retaliation
- Work remotely using VPN/bastion access as configured by DevOps
---
## 4. Unacceptable Use
Personnel **must not**:
### 4.1 Data Handling
- Copy production PII to personal devices, unauthorized cloud storage, or local unencrypted files
- Share customer or company data with unauthorized persons
- Use production data for development/testing without anonymization approval
- Export bulk data without business justification and ISO approval
### 4.2 Credentials & Access
- Share passwords, API keys, JWT tokens, or SSH keys
- Commit secrets, credentials, or `.env` files with production values to Git
- Use personal accounts for production system access
- Bypass authentication, authorization, or audit controls
- Leave privileged sessions unattended
### 4.3 Systems & Network
- Install unauthorized software on production or staging servers
- Run penetration tests against production without written ISO approval
- Introduce malware, unauthorized scripts, or unvetted dependencies
- Disable security controls (logging, rate limiting, firewalls) without approval
- Mine cryptocurrency or use TM infrastructure for non-business purposes
### 4.4 Development Practices
- Push directly to production branches without peer review
- Deploy untested code to production
- Ignore critical security scan findings without documented risk acceptance
- Log passwords, tokens, or full PII in application logs
### 4.5 Third Parties
- Grant vendor access beyond minimum required scope
- Share API credentials with unauthorized integrators
- Use unapproved AI/LLM tools to process production customer data without DPO review
---
## 5. Device and Remote Work Requirements
| Requirement | Detail |
|-------------|--------|
| Screen lock | Enabled when unattended (≤ 5 min) |
| Full-disk encryption | Required on devices accessing production |
| OS updates | Security patches applied within 30 days |
| Antivirus | Company-approved endpoint protection where applicable |
| Public Wi-Fi | VPN required for production access |
---
## 6. Email and Communication
- Do not transmit passwords or API keys via email or chat
- Use approved secure channels for credential delivery
- Report phishing attempts to ISO immediately
---
## 7. Monitoring and Privacy
The organization reserves the right to monitor use of TM systems and company equipment to:
- Detect security incidents
- Ensure policy compliance
- Protect information assets
Monitoring is conducted in accordance with applicable privacy laws and employment agreements.
---
## 8. Consequences
Violations may result in:
| Severity | Consequence |
|----------|-------------|
| Minor / first offense | Written warning; mandatory retraining |
| Moderate | Suspension of access; formal disciplinary action |
| Severe (data breach, intentional misuse) | Termination; legal action; regulatory reporting |
All violations involving data exposure follow the [Incident Response Plan](./incident-response-plan.md).
---
## 9. Acknowledgment
All personnel must sign or electronically acknowledge this policy:
- Upon onboarding (before production access is granted)
- Annually thereafter
- When materially updated
Records retained by HR/ISO for **3 years**.
---
## 10. Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial policy |
**Approval**
| Role | Name | Signature | Date |
|------|------|-----------|------|
| ISO | _Pending_ | | |
| Executive Sponsor | _Pending_ | | |