Run: Cybersecurity Acceptable Use Policy

This policy establishes the minimum requirements for secure and acceptable use of company systems. It is intended to protect company data, maintain business continuity, reduce cyber risk, and define employee expectations for reporting suspicious activity and security incidents.

This policy applies to all employees, contractors, temporary workers, interns, and any other authorized users who access company systems or data. It applies to use of company-owned devices, personal devices used for work, remote access tools, email, messaging platforms, cloud services, and any system that stores or transmits company information. **Jurisdiction-specific carve-outs:** - **California employees:** Monitoring, access, and data-handling practices must be applied consistently with the California Consumer Privacy Act (CCPA) and any applicable notice obligations. - **New York employees:** Nothing in this policy limits protected whistleblowing activity under New York Labor Law Section 740. - **All U.S. employees:** This policy will be interpreted consistently with NLRA Section 7 rights, including protected concerted activity, and will not be used to restrict lawful wage, hour, or working-condition discussions.

Key terms used in this policy are defined in the Definitions section of the template data. Additional terms used in the policy include: - **Policy holder:** The manager or department responsible for maintaining and enforcing this policy. - **Reasonable accommodation:** A workplace adjustment required under the ADA that may affect how a user accesses systems or completes security steps. - **Interactive process:** The good-faith, individualized process used to evaluate accommodation requests under the ADA. - **Good-faith:** Honest, timely, and cooperative participation in required security practices, reporting, and investigations. - **Documented warning:** A written notice of policy noncompliance that identifies the issue, expected correction, and potential consequences. - **PIP:** A performance improvement plan used when repeated policy violations are tied to performance or conduct concerns.

Users must protect company systems and data at all times and must use company resources only for authorized business purposes, limited personal use where permitted by management, and lawful activity. **Required security standards** - Use unique passwords for company accounts and do not reuse passwords across systems. - Passwords must meet company complexity and length standards and must not be shared, written in plain view, or stored in unsecured locations. - MFA is required for company email, remote access, administrative access, and any system designated as sensitive or high-risk. - Users must lock screens when away from their devices and must not bypass security controls, endpoint protection, or access restrictions. - Company data must be stored only in approved systems and must not be forwarded to personal email, personal cloud storage, or unauthorized messaging apps. **Prohibited conduct** - Accessing systems, files, or accounts without authorization. - Installing unauthorized software, browser extensions, or hardware. - Disabling antivirus, logging, encryption, MFA, or other security tools. - Using company systems to harass, discriminate, threaten, or engage in unlawful activity. - Sending, storing, or transmitting company data through unapproved channels. - Opening suspicious attachments, clicking unknown links, or bypassing phishing warnings. **Privacy and monitoring notice** Company systems may be monitored, logged, and reviewed for security, compliance, operational, and investigative purposes to the extent permitted by law. Users should not expect personal privacy when using company systems, except where required by law.

**1. Account access and password management** - Users must create passwords that meet the company’s minimum length and complexity requirements. - Passwords must be changed immediately if compromise is suspected or if the company requires a reset following a security event. - Users must not share credentials with coworkers, supervisors, vendors, or family members. - Privileged accounts must use stronger authentication controls and may require additional approval. **2. Multi-factor authentication (MFA)** - MFA must be enabled where required by IT or Security. - Users must approve only legitimate login prompts and must report unexpected prompts immediately. - Lost, stolen, or replaced MFA devices must be reported to IT/Security without delay. **3. Phishing and suspicious activity reporting** - Users must report suspected phishing emails, texts, calls, QR-code scams, and suspicious login prompts as soon as possible. - Reports should include the message, sender, time received, and any actions taken. - Users must not forward suspicious messages to coworkers except as directed by Security for investigation. **4. Security incident response expectations** - Any suspected incident must be reported immediately to IT, Security, or the designated incident response contact. - Examples include lost devices, accidental data disclosure, malware alerts, unauthorized access, or misdirected sensitive information. - Users must preserve evidence, stop further use if instructed, and cooperate in good-faith with containment, investigation, and remediation steps. - Users must not delete logs, alter records, or notify external parties unless authorized by Security, Legal, or management. **5. Remote work and BYOD** - Personal devices used for work must comply with company security requirements, including screen locks, encryption where required, and approved access methods. - Users must avoid public Wi-Fi for sensitive work unless protected by approved secure access tools. - Lost or stolen devices used for company work must be reported immediately.

**Employees and other users** - Follow this policy and complete required security training. - Protect credentials, devices, and company data. - Report phishing, incidents, and suspected policy violations promptly. **Managers** - Reinforce compliance expectations and escalate repeated issues. - Ensure team members complete required training and acknowledgements. **IT / Security** - Maintain technical controls, access management, logging, and incident response procedures. - Investigate reports, coordinate containment, and document remediation actions. **HR** - Support policy acknowledgement tracking, training compliance, and disciplinary action where appropriate. - Coordinate with Legal and Security on employee-related investigations. **Policy holder** - Review and update the policy, approve exceptions, and ensure jurisdiction-specific requirements are addressed.

Violations of this policy may result in access restrictions, retraining, a documented warning, a PIP, disciplinary action up to and including termination, and/or legal action where appropriate. The company may also revoke system access immediately when necessary to protect company data or operations. **Exceptions** - Exceptions must be approved in writing by the policy holder, IT/Security, and, where applicable, Legal or HR. - ADA-related accommodation requests will be reviewed through the interactive process to determine whether a reasonable accommodation can be provided without creating an undue hardship or unacceptable security risk. - Any exception must be time-limited, documented, and reviewed periodically.

This policy will be reviewed at least annually and updated as needed to reflect changes in law, technology, business operations, or security risk. Revisions should be approved by the policy holder, HR, IT/Security, and Legal as appropriate. Employees will be notified of material changes and may be required to re-acknowledge the policy.