Use this template to create an IT acceptable use policy.

---

IT Acceptable Use Policy

[Company Name]

Policy Owner: [IT Manager/HR] Last Reviewed: [Date] Next Review: [Date]

---

1. Purpose

This policy sets out the rules for use of Company IT systems, equipment, and communications. It aims to protect the Company, its data, and its employees while enabling effective use of technology.

---

2. Scope

This policy applies to:

• All employees, contractors, and workers
• All Company IT equipment and systems
• Any personal devices used for work (BYOD)
• All Company data wherever stored

---

3. IT Equipment

3.1 Company Equipment

Company IT equipment including computers, laptops, phones, and tablets:

• Remains Company property
• Must be used primarily for work purposes
• Must be kept secure and in good condition
• Must be returned when requested or on leaving

3.2 Personal Devices (BYOD)

If you use personal devices for work:

• You must comply with security requirements
• Company data must be kept secure
• We may require security software to be installed
• Work data may be remotely wiped if the device is lost

---

4. Passwords and Security

4.1 Password Requirements

Requirement	Standard
Minimum length	[12] characters
Complexity	Mixed case, numbers, symbols
Change frequency	[Every 90 days]
Reuse	Do not reuse previous passwords
Sharing	Never share passwords

4.2 Security Practices

You must:

• Lock your screen when away from your computer
• Log out at the end of the day
• Not leave devices unattended in public places
• Report lost or stolen devices immediately
• Not install unauthorised software
• Keep software updated

---

5. Email

5.1 Professional Use

When using email:

• Use professional language and tone
• Check recipients before sending sensitive information
• Be aware that emails can be forwarded and disclosed
• Do not send unnecessary large attachments
• Use clear subject lines

5.2 Prohibited Use

Do not use email to:

• Send or forward discriminatory, offensive, or harassing content
• Share confidential information without authorisation
• Send spam or chain emails
• Conduct personal business that conflicts with work

5.3 Email Retention

• Emails are Company records and may be retained
• Deletion does not guarantee permanent removal
• Emails may be accessed for legitimate business purposes

---

6. Internet Use

6.1 Acceptable Use

The internet may be used for:

• Work-related research and tasks
• Limited personal use during breaks
• Professional networking (e.g., LinkedIn)

6.2 Prohibited Use

Do not use Company internet to access:

Category	Examples
Illegal content	Piracy, illegal material
Offensive content	Pornography, hate speech
Gambling	Online betting sites
Personal business	Running side businesses
High bandwidth	Excessive streaming
Risky sites	Known malware sources

6.3 Downloads

• Only download software approved by IT
• Do not download pirated content
• Be cautious with email attachments from unknown sources

---

7. Data Security

7.1 Confidential Data

When handling confidential data:

• Only access data you need for your role
• Store data in approved locations
• Encrypt sensitive data when transmitting
• Do not share data without authorisation
• Dispose of data securely

7.2 External Storage

• USB drives and external storage must be approved by IT
• Sensitive data should not be stored on personal devices
• Cloud storage must be approved (e.g., Company OneDrive only)

7.3 Working Remotely

When working remotely:

• Use secure, password-protected Wi-Fi
• Do not use public Wi-Fi for sensitive work
• Ensure screens are not visible to others
• Secure physical documents

---

8. Software

8.1 Authorised Software

• Only use software provided or approved by IT
• Do not install personal software
• Do not disable security software

8.2 Licensing

• Respect software licensing terms
• Report any licensing concerns to IT
• Do not copy or share licensed software

---

9. Monitoring

9.1 What We Monitor

The Company may monitor:

Monitored Item	Purpose
Email content and metadata	Security, policy compliance
Internet browsing	Security, appropriate use
System access logs	Security, audit
File access	Security, audit
Device location	Security (Company devices)

9.2 Purpose

Monitoring is conducted to:

• Protect Company systems and data
• Ensure policy compliance
• Investigate suspected misuse
• Meet legal and regulatory obligations

9.3 Privacy

While we respect privacy, you should have no expectation of privacy when using Company systems. All use may be monitored and recorded.

---

10. Reporting Security Incidents

Report immediately to [IT/Manager] if:

• You suspect a security breach
• Your device is lost or stolen
• You receive suspicious emails (phishing)
• You accidentally share confidential data
• You notice unusual system behaviour

---

11. When You Leave

On leaving the Company:

• Return all IT equipment
• Your system access will be revoked
• Company emails and data will be retained/archived
• Personal files should be removed before leaving
• Do not copy Company data

---

12. Consequences of Breach

Breach of this policy may result in:

• Disciplinary action up to dismissal
• Revocation of IT access
• Legal action in serious cases

---

13. Training

All employees will receive IT security awareness training at induction and annually thereafter.

---

14. Review

This policy will be reviewed annually.

---

Key Contacts

Issue	Contact
IT Support	[Contact details]
Security Incidents	[Contact details]
Policy Queries	[Contact details]

---

Document Control

Version	Date	Author	Changes
1.0	[Date]	[Name]	Initial version