GOV-025 Acceptable Use of Information Assets
Description
Rules governing the acceptable use of organizational information, systems, and other assets are documented, communicated to all personnel before access is granted, and acknowledged. The rules address prohibited activities, personal use limits, and obligations to protect organizational information.
Rationale
Personnel must understand what constitutes acceptable use before they can be held accountable for violations. An acknowledged acceptable use policy creates a documented baseline for disciplinary and legal proceedings.
Framework Mappings (5)
| HRS-02 | Acceptable Use of Technology Policy and Procedures | full |
| HRS-13 | Compliance User Responsibility | partial |
| 5.10 | Acceptable use of information and other associated assets | full |
| PL-4 | Rules of Behavior | full |
| CC1.1 | COSO Principle 1: Demonstrates Commitment to Integrity and Ethical Values | partial |
Evidence (2)
Acceptable use policy (AUP) defining permitted and prohibited use of organizational information assets, communicated to all personnel.
Example: Acceptable Use Policy (Confluence / policy management system), covering: permitted uses of devices, corporate network, cloud services, and data; prohibited activities (unauthorized software, personal use limits, data exfiltration); and incident reporting obligations.
Test: Request the acceptable use policy. Verify: (1) prohibited activities are explicitly listed, (2) personal use limits are addressed, (3) obligations to protect organizational information are stated, (4) the policy has a management approval date within the last 12 months, (5) distribution evidence exists (all-staff email, intranet post, or training platform record).
Signed acknowledgement records confirming all personnel have read and accepted the acceptable use policy before receiving system access.
Example: AUP acknowledgement export from the HRIS or training platform (BambooHR, Workday, KnowBe4, or equivalent), showing name, email, and acknowledgement date for each current employee — with 100% or near-100% completion.
Test: Export the AUP acknowledgement records from the HR or training system. Verify: (1) all active employees have a recorded acknowledgement, (2) acknowledgement date is within the last 12 months or at onboarding for newer staff, (3) any individuals without acknowledgement have an open remediation action.
Questions (2)
Does your organization have a documented acceptable use policy (AUP) that defines permitted and prohibited use of organizational information assets, and is it communicated to all personnel before access is granted?
The AUP should explicitly list prohibited activities, personal use limits, and data protection obligations, and be approved by management within the last 12 months.
How is acknowledgement of the acceptable use policy captured and tracked for all personnel?
A digital acknowledgement export showing 100% (or near-100%) completion for all active staff, with acknowledgement dates, is the standard evidence.