Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Acceptable Use Policy

Seeded from legacy Allied Information Security Policy (user responsibilities, BYOD, social media, software install rules). Content carried over for review. Acceptable personal-use limits and use of generative-AI tools are not yet covered and need drafting.

Purpose

To define how Allied staff and contractors may use Allied systems, devices, and information assets.

Scope

Applies to all users of Allied systems, including remote and personal-device use where authorised. "Allied systems and information assets" means any device, account, service, network, or data owned or managed by Allied, or used to process Allied data — including company-owned computers and smartphones, authorised personal devices (see BYOD below), cloud services, and removable media. The authoritative inventory is maintained under POL-ENT-003 Asset Management Policy.

Roles and responsibilities

RoleResponsibility
TBD (policy owner)Maintains the Acceptable Use Policy
All usersRead, attest, and comply

User responsibilities

  • Maintain familiarity with and act in accordance with Allied information security policy. All Allied employees must attest that they have read Allied security policy at least once in any 12 month period.
  • Think security, challenge throughout. All employees should make a conscious effort to consider and mitigate security risk in all Allied business.
  • Highlight incidents early. Suspected and known security incidents should be highlighted to the Allied security officer as soon as practicably possible to enable speedy remediation. See POL-DIG-011 Incident Response Plan.
  • Respond to guidance and direction from the Allied security officer. Posted via #security-business-continuity and #software-updates Slack channels.
  • Monitor apps and services for security alerts where you are the business-lead and disseminate this information as soon as is reasonably practical and always within 14 days.

Acceptable use and prohibited activities

Allied systems are provided for legitimate Allied business. Reasonable, incidental personal use is permitted provided it does not interfere with work, consume significant resources, or breach this or any other Allied policy.

Use of any Allied system must not:

  • Break the law, or further any illegal, fraudulent, or malicious activity.
  • Harass, defame, or discriminate against any person, or create, store, or transmit material that is obscene, abusive, or offensive. See POL-PPL-001 Code of Conduct.
  • Access accounts, systems, networks, drives, folders, or data the user has not been authorised to access.
  • Make unauthorised copies of, or deliberately destroy, conceal, or withhold, Allied data.
  • Misrepresent the user's or Allied's identity, or assume another user's identity.
  • Solicit non-Allied business, or use Allied systems for personal financial gain.
  • Send chain letters or unsolicited bulk messages ("spam").
  • Deliberately introduce or propagate malware, or knowingly visit known-malicious sites.
  • Disable, circumvent, or interfere with any security control (antivirus, firewall, encryption, MDM, screen lock, or monitoring) on any device used to process Allied data.
  • Attempt to defeat or bypass access or security restrictions on Allied systems.

Allied maintains the definitive list of prohibited activities in this section; it is reiterated during onboarding (see Training and awareness) and updated as required.

Software installation

Only applications sourced from either the Apple, Google or Microsoft store may be installed on devices used to process Allied data. If employees wish to install software that is not sourced from one of these stores, written permission is required from the Allied security officer to do so. All software must be supported by the supplier. All installed software must be licensed in accordance with the publisher's recommendations.

See POL-DIG-013 System and Information Integrity Policy for the underlying technical controls.

BYOD (bring your own device)

Allied operates a mixed hardware model:

  • Allied employees are supplied with Allied owned computers and ancillaries. Allied employees may also be supplied with a smartphone. Where employees are not provided with a smartphone they use their personal devices.
  • Allied advisers, consultants and partners. Personnel working on behalf of Allied but not employed by Allied bring their own devices to work (BYOD).

BYOD requirements:

Use of social media and public publishing platforms

Allied uses a number of social media platforms to publicise its own narrative and messaging and to amplify the messaging of others. These platforms currently include:

All personnel with administrator access to these accounts must ensure they use long passwords and multi-factor authentication wherever possible.

No public posts may contain information about where or how Allied manages its own data, or specifics on its security arrangements.

Monitoring

Use of Allied systems is subject to monitoring by Allied for security, compliance, and operational purposes. This includes device posture and security telemetry collected through MDM/EDR (see POL-ENT-008 Physical Security Policy and POL-DIG-013 System and Information Integrity Policy) and access and event logging (see POL-DIG-007 Logging and Monitoring Policy). Monitoring is proportionate and conducted in line with applicable law; users should have no expectation of privacy in their use of Allied systems beyond that provided by law and Allied's data protection obligations (see POL-ENT-006 Data Protection Policy).

Training and awareness

  • New joiners complete security awareness familiarisation as part of onboarding, covering Allied systems, security requirements, this policy, and the prohibited activities listed above.
  • All personnel complete ongoing security awareness training and re-attest to this policy at least once in any 12-month period (see User responsibilities).
  • Where the prohibited-activities list or other material requirements change, affected personnel are notified and retrained as needed.

Leaving Allied

On termination, end of contract, or end of engagement, leavers must return all Allied-owned assets and cease use of Allied systems and data. Access is revoked through the joiner/mover/leaver process in the Systems Access Control Procedure, and assets are reconciled under POL-ENT-003 Asset Management Policy. Obligations that survive departure — including confidentiality — remain in force.

Breaches and sanctions

Suspected breaches of this policy are handled through a fair process that considers the circumstances, including whether it was a first offence and the severity of any harm. Sanctions may follow up to and including termination of employment or contract for serious misconduct, and Allied may suspend or revoke access at any time. Conduct expectations and the disciplinary route are set out in the POL-PPL-001 Code of Conduct.

Policy statements

TBD — gap analysis to add: acceptable personal-use limits (quantified), and use of generative-AI tools and prompt content.

Rationale