Cybersecurity Acceptable Use Policy
Cybersecurity Acceptable Use Policy template for setting password, MFA, phishing, device, and incident-reporting rules for company systems. Use it to define what employees can and cannot do before a security issue turns into a breach.
Trusted by frontline teams 15 years of frontline software AI customization in seconds
Built for: Technology · Financial Services · Healthcare · Professional Services · Retail
Overview
This Cybersecurity Acceptable Use Policy template sets the rules employees must follow when using company systems, accounts, devices, email, internet access, and data. It is built for organizations that want a clear, enforceable standard for passwords, MFA, phishing reporting, approved software, remote access, and incident escalation.
Use it when you need a policy that employees can actually follow and managers can actually enforce. It works well for onboarding acknowledgments, annual policy refreshes, contractor access, and security training rollouts. The template also helps define what counts as prohibited use, how to report suspicious activity, who approves exceptions, and what happens after a violation or suspected compromise.
Do not use this as a substitute for a broader information security program, a data retention policy, or a full incident response plan. It is also not the right place for detailed technical standards that belong in IT procedures unless you want to reference them at a high level. If your workforce spans multiple jurisdictions, add location-specific language for privacy, monitoring, and employee notice requirements. The policy should also be coordinated with ADA accommodation needs, NLRA-protected activity boundaries, and any state-specific overlays that affect employee monitoring, reporting, or discipline.
Standards & compliance context
- Use this policy alongside FLSA recordkeeping and timekeeping controls if employee device use affects hours worked, after-hours access, or overtime tracking.
- Keep monitoring and data-handling language consistent with Title VII and EEOC expectations, and avoid rules that could be applied unevenly across protected classes.
- If the policy affects employee access to systems needed for a disability-related accommodation, coordinate with the ADA interactive process and document any reasonable accommodation.
- Do not restrict NLRA-protected concerted activity, such as employees discussing wages or working conditions, even when the policy limits confidential business data and security-sensitive systems.
- Add state-specific language where needed for California employees, Illinois One-Day-Rest-In-Seven scheduling impacts, Washington paid sick leave coordination, or other local notice and privacy rules.
- If the policy covers employee or customer personal data, align notice, access, retention, and deletion practices with GDPR or CCPA requirements as applicable.
General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.
What's inside this template
Purpose
Explains why the policy exists and what risk it is meant to reduce.
-
This policy establishes the minimum requirements for secure and acceptable use of company systems. It is intended to protect company data, maintain business continuity, reduce cyber risk, and define employee expectations for reporting suspicious activity and security incidents.
Scope
Defines which workers, systems, devices, and data are covered so there is no ambiguity.
-
This policy applies to all employees, contractors, temporary workers, interns, and any other authorized users who access company systems or data. It applies to use of company-owned devices, personal devices used for work, remote access tools, email, messaging platforms, cloud services, and any system that stores or transmits company information. **Jurisdiction-specific carve-outs:** - **California employees:** Monitoring, access, and data-handling practices must be applied consistently with the California Consumer Privacy Act (CCPA) and any applicable notice obligations. - **New York employees:** Nothing in this policy limits protected whistleblowing activity under New York Labor Law Section 740. - **All U.S. employees:** This policy will be interpreted consistently with NLRA Section 7 rights, including protected concerted activity, and will not be used to restrict lawful wage, hour, or working-condition discussions.
Definitions
Clarifies key terms like MFA, phishing, approved software, and incident so employees and managers use the same language.
-
Key terms used in this policy are defined in the Definitions section of the template data. Additional terms used in the policy include: - **Policy holder:** The manager or department responsible for maintaining and enforcing this policy. - **Reasonable accommodation:** A workplace adjustment required under the ADA that may affect how a user accesses systems or completes security steps. - **Interactive process:** The good-faith, individualized process used to evaluate accommodation requests under the ADA. - **Good-faith:** Honest, timely, and cooperative participation in required security practices, reporting, and investigations. - **Documented warning:** A written notice of policy noncompliance that identifies the issue, expected correction, and potential consequences. - **PIP:** A performance improvement plan used when repeated policy violations are tied to performance or conduct concerns.
Policy
States the actual rules employees must follow when using company technology and data.
-
Users must protect company systems and data at all times and must use company resources only for authorized business purposes, limited personal use where permitted by management, and lawful activity. **Required security standards** - Use unique passwords for company accounts and do not reuse passwords across systems. - Passwords must meet company complexity and length standards and must not be shared, written in plain view, or stored in unsecured locations. - MFA is required for company email, remote access, administrative access, and any system designated as sensitive or high-risk. - Users must lock screens when away from their devices and must not bypass security controls, endpoint protection, or access restrictions. - Company data must be stored only in approved systems and must not be forwarded to personal email, personal cloud storage, or unauthorized messaging apps. **Prohibited conduct** - Accessing systems, files, or accounts without authorization. - Installing unauthorized software, browser extensions, or hardware. - Disabling antivirus, logging, encryption, MFA, or other security tools. - Using company systems to harass, discriminate, threaten, or engage in unlawful activity. - Sending, storing, or transmitting company data through unapproved channels. - Opening suspicious attachments, clicking unknown links, or bypassing phishing warnings. **Privacy and monitoring notice** Company systems may be monitored, logged, and reviewed for security, compliance, operational, and investigative purposes to the extent permitted by law. Users should not expect personal privacy when using company systems, except where required by law.
Procedure
Shows the step-by-step process for reporting, approval, escalation, and exception handling.
-
**1. Account access and password management** - Users must create passwords that meet the company’s minimum length and complexity requirements. - Passwords must be changed immediately if compromise is suspected or if the company requires a reset following a security event. - Users must not share credentials with coworkers, supervisors, vendors, or family members. - Privileged accounts must use stronger authentication controls and may require additional approval. **2. Multi-factor authentication (MFA)** - MFA must be enabled where required by IT or Security. - Users must approve only legitimate login prompts and must report unexpected prompts immediately. - Lost, stolen, or replaced MFA devices must be reported to IT/Security without delay. **3. Phishing and suspicious activity reporting** - Users must report suspected phishing emails, texts, calls, QR-code scams, and suspicious login prompts as soon as possible. - Reports should include the message, sender, time received, and any actions taken. - Users must not forward suspicious messages to coworkers except as directed by Security for investigation. **4. Security incident response expectations** - Any suspected incident must be reported immediately to IT, Security, or the designated incident response contact. - Examples include lost devices, accidental data disclosure, malware alerts, unauthorized access, or misdirected sensitive information. - Users must preserve evidence, stop further use if instructed, and cooperate in good-faith with containment, investigation, and remediation steps. - Users must not delete logs, alter records, or notify external parties unless authorized by Security, Legal, or management. **5. Remote work and BYOD** - Personal devices used for work must comply with company security requirements, including screen locks, encryption where required, and approved access methods. - Users must avoid public Wi-Fi for sensitive work unless protected by approved secure access tools. - Lost or stolen devices used for company work must be reported immediately.
Roles & Responsibilities
Assigns ownership so HR, IT, Security, managers, and employees know who does what.
-
**Employees and other users** - Follow this policy and complete required security training. - Protect credentials, devices, and company data. - Report phishing, incidents, and suspected policy violations promptly. **Managers** - Reinforce compliance expectations and escalate repeated issues. - Ensure team members complete required training and acknowledgements. **IT / Security** - Maintain technical controls, access management, logging, and incident response procedures. - Investigate reports, coordinate containment, and document remediation actions. **HR** - Support policy acknowledgement tracking, training compliance, and disciplinary action where appropriate. - Coordinate with Legal and Security on employee-related investigations. **Policy holder** - Review and update the policy, approve exceptions, and ensure jurisdiction-specific requirements are addressed.
Compliance, Discipline, and Exceptions
Explains enforcement, documented warning and PIP pathways, and how exceptions are approved and tracked.
-
Violations of this policy may result in access restrictions, retraining, a documented warning, a PIP, disciplinary action up to and including termination, and/or legal action where appropriate. The company may also revoke system access immediately when necessary to protect company data or operations. **Exceptions** - Exceptions must be approved in writing by the policy holder, IT/Security, and, where applicable, Legal or HR. - ADA-related accommodation requests will be reviewed through the interactive process to determine whether a reasonable accommodation can be provided without creating an undue hardship or unacceptable security risk. - Any exception must be time-limited, documented, and reviewed periodically.
Review & Revision
Sets the effective_date, version control, and annual review_frequency so the policy stays current.
-
This policy will be reviewed at least annually and updated as needed to reflect changes in law, technology, business operations, or security risk. Revisions should be approved by the policy holder, HR, IT/Security, and Legal as appropriate. Employees will be notified of material changes and may be required to re-acknowledge the policy.
How to use this template
- 1. Fill in the policy holder, effective_date, version, review_frequency, applicable_jurisdictions, and applicable_roles before publishing the policy.
- 2. Customize the Scope and Definitions sections so employees know which systems, devices, data types, and account categories are covered.
- 3. Set the concrete rules in the Policy section for passwords, MFA, approved software, email use, remote access, and prohibited activities.
- 4. Map the Procedure section to your real workflow for phishing reports, lost devices, suspected compromise, exception requests, and escalation to IT or Security.
- 5. Assign Roles & Responsibilities to HR, IT, Security, managers, and employees so each party knows who approves access, investigates issues, and issues documented warning or PIP follow-up when needed.
- 6. Review the Compliance, Discipline, and Exceptions section with legal or HR leadership, then collect employee acknowledgments and retrain after incidents or policy changes.
Best practices
- Require MFA for all remote access, email, and admin accounts unless a documented exception is approved by the policy holder.
- State exactly how quickly employees must report phishing, lost devices, or suspected account compromise so the response team can act before damage spreads.
- Limit acceptable use rules to behaviors employees can understand, such as approved software, password sharing, data downloads, and personal use boundaries.
- Document exception approvals in writing with an expiration date, compensating controls, and the name of the approving manager or Security lead.
- Tie violations to a consistent discipline path so repeated misuse can move from coaching to documented warning to PIP where appropriate.
- Include a clear rule for personal devices, removable media, and cloud storage so employees do not move company data into unmanaged tools.
- Coordinate the policy with onboarding and annual training so employees acknowledge the rules before they receive access and again at review time.
What this template typically catches
Issues teams running this template most often surface in practice:
Common use cases
Frequently asked questions
What does this acceptable use policy template cover?
This template covers employee use of company systems, accounts, devices, email, internet access, and data handling. It includes password standards, MFA expectations, phishing reporting, prohibited activities, and basic incident-response steps. It is designed to set clear day-to-day rules, not to replace a full information security program.
Who should use and enforce this policy?
HR, IT, Security, and policy holders in management typically use this policy together. HR usually owns the employee-facing policy language, while IT or Security defines the technical controls and reporting workflow. Managers should reinforce the policy during onboarding and when exceptions or violations arise.
How often should this policy be reviewed?
Review it at least annually, and sooner after a security incident, major system change, merger, or legal update. Annual review_frequency is important because password, MFA, and remote-access practices change quickly. The policy should also be updated when new tools or jurisdictions change how employee data is handled.
Does this template address legal and regulatory requirements?
Yes, it is written to align with common workplace compliance needs tied to FLSA recordkeeping, Title VII and EEOC anti-harassment expectations, ADA accommodation handling for access needs, and NLRA-protected concerted activity boundaries. It also supports privacy and data-handling practices that may need GDPR or CCPA language depending on where employees or systems are located. State-specific overlays should be added where applicable.
What are the most common mistakes this policy helps prevent?
Common mistakes include sharing passwords, ignoring MFA prompts, forwarding suspicious emails, using unmanaged devices without approval, and failing to report a lost laptop or suspected compromise. Another frequent gap is leaving exceptions informal instead of documenting them. This template helps turn those issues into clear rules and escalation steps.
Can this template be customized for different teams or locations?
Yes, and it should be. You can add jurisdiction-specific carve-outs, such as California employees, remote workers, or regulated teams that handle sensitive data. You can also tailor the acceptable-use rules for engineering, finance, customer support, or executives without changing the policy structure.
How does this compare with ad-hoc security reminders?
Ad-hoc reminders are easy to forget and hard to enforce. A formal policy creates a single policy holder, a documented standard, and a consistent process for reporting, exceptions, and discipline. That makes training, audits, and incident response much easier to manage.
What should be integrated with this policy rollout?
It should be paired with onboarding, annual security training, phishing simulations, device enrollment, access provisioning, and incident-response playbooks. If your company uses an HRIS, ticketing system, or LMS, those tools can track acknowledgments, exceptions, and retraining. The policy works best when the procedure matches the actual tools employees use.
Related templates
Ready to use this template?
Get started with MangoApps and use Cybersecurity Acceptable Use Policy with your team — pricing built for small business.
