--- status: template playbook-section: 50 title: "Acceptable Use & Device Policy" last-reviewed: "[FILL IN: YYYY-MM-DD]" --- # Acceptable Use & Device Policy > **Template status** — fill every `[FILL IN: …]` marker before use. > **Not code-enforced** — device management, endpoint security, and acceptable-use controls are implemented outside the application codebase (MDM, EDR, organisational policy). This template documents those controls; the consumer configures and enforces them at the infrastructure and HR level. --- ## 1. Purpose & Scope This policy defines the acceptable use of devices and systems for all personnel — employees, contractors, and third-party service providers — who access `[FILL IN: organisation name]`'s systems, data, or networks. **Owner:** `[FILL IN: role — e.g., CISO / Head of Engineering]` --- ## 2. Covered Devices | Device type | Management requirement | | -------------------------------------- | -------------------------------------- | | Company-issued laptops / desktops | `[FILL IN: MDM solution]` | | Personal devices (BYOD) — if permitted | `[FILL IN: MDM profile / prohibition]` | | Mobile phones (company-issued) | `[FILL IN:]` | | Personal mobile devices (BYOD) | `[FILL IN:]` | BYOD is `[FILL IN: permitted / not permitted]`. If permitted: `[FILL IN: describe BYOD enrolment requirements]`. --- ## 3. Required Endpoint Controls All devices accessing production systems or personal data MUST have: - [ ] Full-disk encryption enabled: `[FILL IN: e.g., FileVault / BitLocker / dm-crypt]` - [ ] Endpoint protection (antivirus / EDR): `[FILL IN: product name]` - [ ] Automatic OS and software updates enabled - [ ] Screen lock after `[FILL IN: e.g., 5 minutes]` of inactivity - [ ] Strong device passcode / PIN (minimum `[FILL IN: e.g., 8 characters]`) - [ ] Remote-wipe capability enrolled: `[FILL IN: MDM / tool]` - [ ] VPN required for access to `[FILL IN: e.g., production database, staging environment]` --- ## 4. Acceptable Use ### 4.1 Permitted uses - Business activities of `[FILL IN: organisation name]` - Reasonable personal use that does not interfere with professional responsibilities - `[FILL IN: any additional permitted uses]` ### 4.2 Prohibited uses - Accessing, storing, or processing personal data outside approved systems - Installing unapproved software on managed devices: `[FILL IN: software approval process]` - Sharing credentials or device access with unauthorised parties - Using personal cloud storage for business data: `[FILL IN: exceptions, if any]` - `[FILL IN: any organisation-specific prohibitions]` --- ## 5. Lost or Stolen Devices 1. Report immediately to `[FILL IN: contact — e.g., IT helpdesk / security@org]`. 2. Remote wipe is initiated within `[FILL IN: e.g., 2 hours]` of report. 3. The incident is assessed for personal-data impact and escalated to the incident runbook if PII was accessible (see [`incident-runbook.template.md`](./incident-runbook.template.md)). 4. Document in `[FILL IN: incident tracker]`. --- ## 6. Device Return & Offboarding On termination or role change, devices are returned within `[FILL IN: e.g., 1 business day]` and wiped via `[FILL IN: wipe procedure]`. See [`offboarding.template.md`](./offboarding.template.md) for the full offboarding checklist. --- ## 7. Review Cycle This policy is reviewed `[FILL IN: frequency — e.g., annually]`. The next scheduled review is `[FILL IN: YYYY-MM-DD]`.