N1NJ4 Tech Solutions (NTS)

Acceptable Use Policy

CIS Critical Security Controls v8 Compliant

October 2024
v1.1

Acknowledgments

The Center for Internet Security® (CIS®) would like to thank the many security experts who volunteer their time and talent to support the CIS Critical Security Controls® (CIS Controls®) and other CIS work. CIS products represent the effort of a veritable army of volunteers from across the industry, generously giving their time and talent in the name of a more secure online experience for everyone.

Editors:

Joshua M Franklin, CIS

Contributors:

Tony Krzyzewski, SAM for Compliance Ltd
Staffan Huslid, Truesec
Diego Bolatti, Information Systems Engineer, Universidad Tecnológica Nacional (Argentina)
Bryan Chou, CISSP, GSEC, GCED, GCIH
Bryan Ferguson
Gavin Willbond, SSS - IT Security Specialists
Ken Muir
Keala Asato
Jon Matthies
Robin Regnier, CIS

James Smith CCNA | CC 

This work is licensed under a Creative Commons Attribution, Non-Commercial, No Derivatives 4.0 International Public License. (The link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.)
To further clarify the Creative Commons license related to the CIS Controls® content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization, and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to http://www.cisecurity.org/controls/ when referring to the CIS Controls to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of the Center for Internet Security, Inc. (CIS®).

Acceptable Use Policy

Introduction

This Acceptable Use Policy acts as a terms and conditions document for employees and clients. It is the cornerstone of an information security policy suite. All users will be required to read this document, confirm their understanding, and sign before they are given access to enterprise assets, data, and other resources. This user agreement applies throughout the enterprise and is necessary for project-specific and business unit-specific agreements to exist. The rules defined within this document will be regularly updated to meet the enterprise’s needs and regularly enforced. Acceptable Use Policies help to reduce risk and educate users on NTS’s current company policies.

Purpose

This Acceptable Use Policy acts as an agreement between NTS and the user receiving Information Technology (IT) assets. Assets are defined as anything that has value to an organization, including, but not limited to, another organization, person, computing device, IT system, IT network, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). This Acceptable Use Policy defines permitted usage of these assets, as well as restricted actions that users must not take to reduce risk to the enterprise.

Applicability

This policy applies to all users within the enterprise who receive and utilize enterprise assets. This includes all members of the workforce (both on-site and remote), third-party vendors, contractors, service providers, consultants, or any other individuals that operate an enterprise asset. It is the user’s responsibility to read and understand this policy and to conduct their activities in accordance with its terms. Additionally, users must read and understand the enterprise’s Information Security Policy and its associated standards. Users who find the policy statements within this document unclear are encouraged to reach out to IT for clarification.

Scope

This policy supplements the CIS Controls v8. The policy statements in this document can be used by all CIS Implementation Groups (IGs) but are specifically geared towards Safeguards in Implementation Group 1 (IG1). Appendix D notes that there are 0 CIS Safeguards within this Policy mapped to the CIS Controls. For more information on the CIS Implementation Groups, see Appendix C. A glossary in Appendix B provides guidance on terminology used throughout the document. Depending on the enterprise’s sector or mission, other policy statements may also need to be added or removed.

Defining Enterprise Assets

There are many types of enterprise assets that can exist in an enterprise. Many of them will need to be covered by an Acceptable Use Policy, but there will be situations where this is not possible. For instance, users outside the information technology (IT) business unit will rarely need to enter the server room and manage servers, meaning servers may not need to be covered by the general Acceptable Use Policy. For the purposes of this document and the CIS Critical Security Controls® v8 (CIS Controls® v8), enterprise assets are defined as all end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers that exist in virtual, cloud-based, or physical environments, including those that can be connected to remotely. Enterprise assets are managed by the enterprise and have the potential to store, process, or transmit data. Types of enterprise assets include:

• End-user devices, such as desktops, workstations, laptops, tablets, and smartphones
• Network devices, such as wireless access points, switches, firewalls, physical/virtual gateways, and routers
• Non-computing/Internet of Things (IoT) devices, such as Industrial Control Systems (ICS), smart screens, printers, physical security sensors, and IT security sensors
• Servers, such as web servers, email servers, application servers, and file servers

Topics

The CIS Information Security Policy generally follows a lifecycle model, but that is not possible within this policy. This Acceptable Use Policy simply informs employees and clients how they are allowed to use the information technology (IT) assets our enterprise has provided in order to perform their tasks. This is essentially a list of DOs and DON’Ts, or an “Acceptable Use” and “Unacceptable Use” list. The content of NTS’s Acceptable Use Policy contains best practices for the following topics:

• Acceptable Use – Actions that employees/clients may perform with their enterprise assets.
• Prohibited Use – Actions that employees must not perform with their enterprise assets.
• Personal Use – Restrictions around the usage of enterprise assets for personal affairs.
• Privacy Expectations – Descriptions of the level of privacy that users can expect while working with their enterprise assets.
• Reporting Violations – Methods to report violations of the enterprise Acceptable Use Policy, and other enterprise policies.
• Remote Work – Policies for users working from their homes rather than the office or assigned duty station.
• Bring Your Own Device – Statements restricting or enabling the usage of personal devices for work activities.

Exceptions

Exceptions to this policy are likely to occur. Exception requests may occur for a variety of reasons, but generally, employees will need to use enterprise IT assets in a manner that is inconsistent with policy. For example, it’s common to need to connect a personal device to the enterprise network, or place enterprise data in the possession of a third-party contractor. All exception requests must be made in writing and must contain:

• The reason for the request,
• Risk to the enterprise of not following the written policy,
• Specific mitigations that will not be implemented,
• Technical and other difficulties, and
• Date of review.
  All exceptions must be approved by a manager authorized to approve the exception.

Policy

User Responsibilities

1. Users must only use approved technology and services.
2. All enterprise assets are on loan to users so that essential job functions may be performed.
3. Upon separation from the enterprise or contract termination, all supplied IT assets, and the associated data must be returned by the user.
4. Users must secure the physical environment around their workstation and lock their computers when stepping away.
5. Users must ensure that Personally Identifiable Information (PII), confidential, and any sensitive data that may be covered by government or other regulation, is not readily available or accessible on their desks or within their workspace.
6. All users must take appropriate care to protect information, systems, and related assets within their custody or care from loss, damage, or harm.
   a. Lost or damaged equipment must be reported to IT as soon as practical.
7. Users must store their passwords in a secure manner.
   a. Approved password managers must be used to store passwords digitally.
8. User-assigned accounts must only access assets, operating systems, applications, files, and data to which they have been granted access. The ability to inadvertently read, execute, modify, delete, or copy data does not imply permission to do so.
9. Only authorized users are permitted to post content or create the impression that they are representing, stating opinions, or otherwise making statements on behalf of the enterprise on social networking sites, blogs, or other internet sites.
10. Users must keep knowledge about information and information systems gained during employment confidential, and confidentiality must be maintained after employment ceases.

Prohibited Use

1. Only approved and authorized devices may be connected to networks owned or managed by the enterprise. This includes portable end-user devices and IoT devices.
2. IT assets may not be used to play games or run entertainment software.
3. Users must not use, store, or share copyrighted or otherwise protected media that has not been legally obtained.
4. IT assets may not be used to host or engage in personal activities, including private business matters.
5. Users must not engage in any activity with the intent to disrupt enterprise assets or networks. Users must not perform any form of network monitoring, port scanning or security scanning unless this activity is a part of the individual's normal job and is formally authorized.
6. Users must not leverage enterprise assets for personal economic gain.
7. Users must not leverage the “Remember Me” or “Remember my Password” function inside of a browser. 

Expectations of Privacy 

1. When using enterprise resources, the user shall have no expectation of privacy. Access and use of the Internet, including communication by e-mail and instant messaging and the content thereof, are not confidential, except in certain limited cases recognized by law.
2. The enterprise reserves the right to monitor, access, and disclose all information generated and actions performed using enterprise IT assets. Files, messages (including attachments), and logs may be retained and used as evidence in litigation, audits, and investigations.

Personal Use

1. Users are permitted limited personal use of enterprise assets, such as visiting websites and checking personal email accounts. 
2. Users may access web-based personal password managers on enterprise assets. Local installation of a password manager must be approved by IT. 
3. Users must not store enterprise passwords in personal password managers. 
4. Users must not leverage browser sync or browser profiles that will move a user’s browser history from a personal device to an enterprise asset (or vice versa). 
5. Users must not use personally owned accounts (e.g., Apple ID, Google Account, Microsoft Account) for device-wide accounts (e.g., Android, iOS, Windows) on enterprise devices unless permitted by the enterprise.
6. Users must work with IT to create enterprise-specific accounts for required assets and third-party services, such as creating an enterprise-owned Apple ID for an Apple device.
7. Users must not use enterprise license keys on personal devices unless authorized by the enterprise. 
8. Enterprise data must not be stored on non-enterprise, personal cloud provider platforms (e.g., Google Drive, Microsoft OneDrive, Dropbox) unless implicitly allowed by Executive Management. 

Reporting Violations 

1. Users should be aware that self-reported violations will not have repercussions in order to ensure this information is made available to the enterprise. 
2. Users who are aware of any event which threatens the availability, integrity or confidentiality of enterprise data, or which breaches any standard, policy, procedure, or any associated requirement, or is contrary to law, must immediately contact IT or their immediate manager.

Remote Work

Remote work occurs whenever enterprise users work from a location outside of the enterprise’s premises, accessing information whether in hardcopy or electronically via enterprise equipment. Remote working environments include those referred to as “teleworking”, “telecommuting”, “flexible workplace”, “virtual work environments" and “remote maintenance”. The enterprise should inform users that it doesn't matter where they are working, this Acceptable Use Policy applies. Enterprises should encourage users to take extra security precautions when working remotely, including allowing other people into the remote working location to potentially have access or view enterprise data. Note that this Acceptable Use Policy alone is insufficient to create a comprehensive remote work policy and enterprises are encouraged to develop robust remote work programs. 

1. All employees must undergo training on this remote work policy and cybersecurity best practices before approval of remote work
2. All enterprise work must be performed on enterprise-approved assets - regardless of asset ownership. 
3. All enterprise data must be stored on approved enterprise assets. 
4. Users must not connect enterprise assets to open, unencrypted WiFi networks.
5. Remote access to NTS leased/owned accounts must use MFA
6. Users must be aware of their surroundings when working remotely to ensure others are not shoulder surfing or viewing sensitive material. 
7. Any digitally approved access and transmission of PII must use NTS’s VPN connection.

Bring Your Own Device 

BYOD is the practice of enterprise users leveraging their personal devices for enterprise tasks. Most commonly, these devices are either smartphones or laptops. There are multiple ways to implement BYOD, such as placing the device completely under enterprise management control, using a virtual private network (VPN) to obtain an internal internet protocol (IP) address, isolating BYOD devices into restricted networks, or simply allowing a device to connect to enterprise cloud services via an app on the device. Enterprises should work to protect their information on personal devices and ensure other applications are not accessing sensitive or confidential material. Note that this Acceptable Use Policy alone is insufficient to create a BYOD policy, and enterprises are encouraged to develop their own robust BYOD policies to cover situations and threats unique to them. More advanced enterprises, such as those self-classifying as CIS Implementation Group (IG) IG2 and IG3 should be using mobile device management and enterprise mobility management tools to enable BYOD. For additional guidance of using the CIS Controls for mobile devices, please see the CIS Controls Mobile Companion Guide. 

1. All BYOD requests must be made formally in writing through NTS’s BYOD policy and accompanying request form.
2. Personal devices must not be connected to the enterprise network without formal authorization. 
3. Enterprise data must not be stored on personal devices without formal authorization. 
4. Users leveraging their personal device to store enterprise data may have their device completely wiped. Reasons for a device wipe may include: 

               a. Lost / stolen device. 

               b. Termination of user’s employment. 

               c. Compromised / hacked account or device. 

Revision History

Version 

1.0

Revision Date: 7/23

Revision Description: Creation

Name: James

v1.1     

Revision Date: 10/24

Revision Description: Entity Change

Name: James

Acronyms and Abbreviations:

BYOD - Bring your own device

CIS - Center for Internet Security

CIS Controls - Center for Internet Security Critical Security Controls

ICS - Industrial controls systems

IG - Implementation Group

IoT - Internet of Things

IP - Internet protocol

IT - Information Technology

PII - Personally Identifiable Information

VPN - Virtual Private Network

Glossary:

Asset - Anything that has value to an organization, including, but   not limited to, another organization, person, computing device, information   technology (IT) system, IT network, IT circuit, software (both an installed   instance and a physical instance), virtual computing platform (common in   cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).

Source: Asset(s) - Glossary | CSRC (nist.gov)

Asset inventory - An asset inventory is a register, repository or   comprehensive list of an enterprise’s assets and specific information about   those assets.

Source: Asset Inventory | FTA (dot.gov)

Asset owner - the department, business unit, or individual responsible   for an enterprise asset.

Source: CIS

Cloud environment - A virtualized environment that provides convenient,   on-demand network access to a shared pool of configurable resources such as   network, computing, storage, applications, and services. There are five   essential characteristics to a cloud environment: on-demand self-service,   broad network access, resource pooling, rapid elasticity, and measured   service. Some services offered through cloud environments include Software as   a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a   Service (IaaS).

Enterprise assets - Assets with the potential to store or process data. For   the purpose of this document, enterprise assets include end-user devices,   network devices, non-computing/Internet of Things (IoT) devices, and servers   in virtual, cloud-based, and physical environments.

Source: CIS Controls v8 

End-user devices - Information technology (IT) assets used among members of   an enterprise during work, off-hours, or any other purpose. End-user devices   include mobile and portable devices such as laptops, smartphones, and tablets   as well as desktops and workstations. For the purpose of this document, end-user devices are a subset of enterprise assets.

Source: CIS Controls v8

Enterprise asset identifier - Often a sticker or tag with a unique number or   alphanumeric string that can be tracked within an enterprise asset inventory.

Source: CIS

Mobile end-user devices - Small, enterprise-issued end-user devices with intrinsic   wireless capability, such as smartphones and tablets. Mobile end-user devices   are a subset of portable end-user devices, including laptops, which may   require external hardware for connectivity. For the purpose of this document,   mobile end-user devices are a subset of end-user devices.

Source: CIS Controls v8

Network devices - Electronic devices required for communication and   interaction between devices on a computer network. Network devices include   wireless access points, firewalls, physical/virtual gateways, routers, and   switches. These devices consist of physical hardware as well as virtual and   cloud-based devices. For the purpose of this document, network devices are a   subset of enterprise assets.

Source: CIS Controls v8

Non-computing/Internet of Things (IoT) devices - Devices embedded with sensors, software, and other   technologies for the purpose of connecting, storing, and exchanging data with   other devices and systems over the internet. While these devices are not used   for computational processes, they support an enterprise’s ability to conduct   business processes. Examples of these devices include printers, smart   screens, physical security sensors, industrial control systems, and   information technology sensors. For the purpose of this document, non-computing/IoT devices are a subset of enterprise assets.

Source: CIS Controls v8

Physical environment - Physical hardware parts that make up a network, including   cables and routers. The hardware is required for communication and   interaction between devices on a network.

Source: CIS Controls v8

Portable end-user devices - Transportable, end-user devices that have the capability   to wirelessly connect to a network. For the purpose of this document, portable end-user devices can include laptops and mobile devices such as   smartphones and tablets, all of which are a subset of enterprise assets.

Source: CIS Controls v8

Remote devices - Any enterprise asset capable of connecting to a network remotely, usually from public internet. This can include enterprise assets such as   end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers.

Source: CIS Controls v8

Servers - A device or system that provides resources, data, services, or programs to other devices on either a local area network or wide   area network. Servers can provide resources and use them from another system   at the same time. Examples include web servers, application servers, mail   servers, and file servers.

Source: CIS Controls v8

User - Employees (both on-site and remote), third-party vendors, contractors, service providers, consultants, or any other individual that   operates an enterprise asset.

Source: CIS

Virtual environment - Simulates hardware to allow a software environment to run   without the need to use a lot of actual hardware. Virtualized environments   are used to make a small number of resources act as many with plenty of   processing, memory, storage, and network capacity. Virtualization is a   fundamental technology that allows cloud computing to work.