Acceptable Use Policy¶
Document ID: POL-003 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.5.10) | SOC 2 (CC1.4, CC6.1)
1. Purpose¶
This policy defines the acceptable use of information assets, systems, and devices at CTW Data Solutions GmbH. All users must comply with this policy to protect company and customer data.
2. Scope¶
Applies to all employees, contractors, and third parties who access CTW Data Solutions systems, networks, or data — including personal devices used for work purposes.
3. General Rules¶
3.1 Permitted Use¶
- Company systems and devices shall be used primarily for business purposes
- Limited personal use is permitted provided it does not compromise security, productivity, or legal compliance
- All use must comply with applicable laws and company policies
3.2 Prohibited Activities¶
| Category | Examples |
|---|---|
| Unauthorised access | Accessing systems, data, or accounts beyond your authorised permissions |
| Data exfiltration | Copying, transferring, or sharing confidential data outside approved channels |
| Circumventing controls | Disabling security tools, bypassing MFA, using unauthorised VPNs or proxies |
| Malicious software | Installing unapproved software, running scripts without authorisation |
| Credential sharing | Sharing passwords, API keys, tokens, or MFA devices with others |
| Illegal activity | Any use that violates German or applicable international law |
4. Email and Communication¶
- Company email (Google Workspace/ZOHO) is for business use; limited personal use is acceptable
- Do not open attachments or click links from unknown or suspicious senders
- Report all suspected phishing to the ISO immediately
- Sensitive data (classified Confidential or above) must not be sent via unencrypted email
5. Internet Use¶
- Internet access is provided for business purposes
- Accessing illegal, offensive, or harmful content is strictly prohibited
- Downloading unapproved software or browser extensions is prohibited
- Cloud storage services other than approved suppliers (Google Drive, Azure) are not permitted for company data
6. Device Security¶
| Requirement | Standard |
|---|---|
| Full-disk encryption | Mandatory on all devices (FileVault / BitLocker) |
| Screen lock | Automatic after 5 minutes of inactivity |
| OS and software updates | Applied within 7 days of release |
| Antivirus / endpoint protection | Required on all devices |
| Unapproved USB devices | Prohibited for data transfer |
7. Data Handling¶
- Handle data according to its classification level
- Top Secret and Confidential data must not be stored on local devices unless encrypted
- Customer data must only be processed within approved systems (Azure, Google Workspace)
- Paper documents containing sensitive data must be securely destroyed when no longer needed
8. Reporting Obligations¶
All employees must immediately report to the ISO:
- Suspected security incidents or breaches
- Lost or stolen devices
- Suspected phishing or social engineering attempts
- Any observed policy violations
9. Consequences¶
Violations of this policy may result in:
- Disciplinary action up to and including termination
- Restriction or revocation of access privileges
- Legal action where warranted
10. Review¶
This policy is reviewed annually by the ISO.
Approved by: CEO / Information Security Officer, CTW Data Solutions GmbH Date: March 2026