Doc owner: TBD
Acceptable Use Policy
Seeded from legacy Allied Information Security Policy (user responsibilities, BYOD, social media, software install rules). Content carried over for review. Acceptable personal-use limits and use of generative-AI tools are not yet covered and need drafting.
Purpose
To define how Allied staff and contractors may use Allied systems, devices, and information assets.
Scope
Applies to all users of Allied systems, including remote and personal-device use where authorised. "Allied systems and information assets" means any device, account, service, network, or data owned or managed by Allied, or used to process Allied data — including company-owned computers and smartphones, authorised personal devices (see BYOD below), cloud services, and removable media. The authoritative inventory is maintained under POL-ENT-003 Asset Management Policy.
Roles and responsibilities
| Role | Responsibility |
|---|---|
| TBD (policy owner) | Maintains the Acceptable Use Policy |
| All users | Read, attest, and comply |
User responsibilities
- Maintain familiarity with and act in accordance with Allied information security policy. All Allied employees must attest that they have read Allied security policy at least once in any 12 month period.
- Think security, challenge throughout. All employees should make a conscious effort to consider and mitigate security risk in all Allied business.
- Highlight incidents early. Suspected and known security incidents should be highlighted to the Allied security officer as soon as practicably possible to enable speedy remediation. See POL-DIG-011 Incident Response Plan.
- Respond to guidance and direction from the Allied security officer. Posted via
#security-business-continuityand#software-updatesSlack channels. - Monitor apps and services for security alerts where you are the business-lead and disseminate this information as soon as is reasonably practical and always within 14 days.
Acceptable use and prohibited activities
Allied systems are provided for legitimate Allied business. Reasonable, incidental personal use is permitted provided it does not interfere with work, consume significant resources, or breach this or any other Allied policy.
Use of any Allied system must not:
- Break the law, or further any illegal, fraudulent, or malicious activity.
- Harass, defame, or discriminate against any person, or create, store, or transmit material that is obscene, abusive, or offensive. See POL-PPL-001 Code of Conduct.
- Access accounts, systems, networks, drives, folders, or data the user has not been authorised to access.
- Make unauthorised copies of, or deliberately destroy, conceal, or withhold, Allied data.
- Misrepresent the user's or Allied's identity, or assume another user's identity.
- Solicit non-Allied business, or use Allied systems for personal financial gain.
- Send chain letters or unsolicited bulk messages ("spam").
- Deliberately introduce or propagate malware, or knowingly visit known-malicious sites.
- Disable, circumvent, or interfere with any security control (antivirus, firewall, encryption, MDM, screen lock, or monitoring) on any device used to process Allied data.
- Attempt to defeat or bypass access or security restrictions on Allied systems.
Allied maintains the definitive list of prohibited activities in this section; it is reiterated during onboarding (see Training and awareness) and updated as required.
Software installation
Only applications sourced from either the Apple, Google or Microsoft store may be installed on devices used to process Allied data. If employees wish to install software that is not sourced from one of these stores, written permission is required from the Allied security officer to do so. All software must be supported by the supplier. All installed software must be licensed in accordance with the publisher's recommendations.
See POL-DIG-013 System and Information Integrity Policy for the underlying technical controls.
BYOD (bring your own device)
Allied operates a mixed hardware model:
- Allied employees are supplied with Allied owned computers and ancillaries. Allied employees may also be supplied with a smartphone. Where employees are not provided with a smartphone they use their personal devices.
- Allied advisers, consultants and partners. Personnel working on behalf of Allied but not employed by Allied bring their own devices to work (BYOD).
BYOD requirements:
- All the mandated requirements for Allied devices (see POL-DIG-013) are strongly recommended for BYOD.
- BYOD must never be used to store confidential or higher classification material (see POL-ENT-004 Data Classification Policy).
Use of social media and public publishing platforms
Allied uses a number of social media platforms to publicise its own narrative and messaging and to amplify the messaging of others. These platforms currently include:
- LinkedIn — Allied Adaptive Industries
All personnel with administrator access to these accounts must ensure they use long passwords and multi-factor authentication wherever possible.
No public posts may contain information about where or how Allied manages its own data, or specifics on its security arrangements.
Monitoring
Use of Allied systems is subject to monitoring by Allied for security, compliance, and operational purposes. This includes device posture and security telemetry collected through MDM/EDR (see POL-ENT-008 Physical Security Policy and POL-DIG-013 System and Information Integrity Policy) and access and event logging (see POL-DIG-007 Logging and Monitoring Policy). Monitoring is proportionate and conducted in line with applicable law; users should have no expectation of privacy in their use of Allied systems beyond that provided by law and Allied's data protection obligations (see POL-ENT-006 Data Protection Policy).
Training and awareness
- New joiners complete security awareness familiarisation as part of onboarding, covering Allied systems, security requirements, this policy, and the prohibited activities listed above.
- All personnel complete ongoing security awareness training and re-attest to this policy at least once in any 12-month period (see User responsibilities).
- Where the prohibited-activities list or other material requirements change, affected personnel are notified and retrained as needed.
Leaving Allied
On termination, end of contract, or end of engagement, leavers must return all Allied-owned assets and cease use of Allied systems and data. Access is revoked through the joiner/mover/leaver process in the Systems Access Control Procedure, and assets are reconciled under POL-ENT-003 Asset Management Policy. Obligations that survive departure — including confidentiality — remain in force.
Breaches and sanctions
Suspected breaches of this policy are handled through a fair process that considers the circumstances, including whether it was a first offence and the severity of any harm. Sanctions may follow up to and including termination of employment or contract for serious misconduct, and Allied may suspend or revoke access at any time. Conduct expectations and the disciplinary route are set out in the POL-PPL-001 Code of Conduct.
Policy statements
TBD — gap analysis to add: acceptable personal-use limits (quantified), and use of generative-AI tools and prompt content.
Related
- POL-PPL-001 Code of Conduct
- POL-DIG-002 Access Control Policy
- POL-DIG-007 Logging and Monitoring Policy
- POL-DIG-013 System and Information Integrity Policy
- POL-ENT-003 Asset Management Policy
- POL-ENT-004 Data Classification Policy
- POL-ENT-006 Data Protection Policy
- POL-ENT-008 Physical Security Policy
- Systems Access Control Procedure
- ISO 27001:2022 Annex A.5.10