Acceptable Use Policy
1. Purpose
Section titled “1. Purpose”Defines acceptable and prohibited uses of Meridian Seven systems, devices, and data.
2. Scope
Section titled “2. Scope”All employees, contractors, and third parties who access Meridian Seven systems or data, regardless of location or device.
3. Device Requirements
Section titled “3. Device Requirements”All devices used for work must meet the minimum security requirements defined in the BYOD Endpoint Security Policy. Required controls include:
- CrowdStrike Falcon installed and active
- FileVault (macOS) or BitLocker (Windows) full-disk encryption enabled
- Automatic OS and security updates enabled
- Screen lock configured (5-minute inactivity maximum)
- Firewall enabled
Non-compliant devices may be restricted from company systems. Lost or stolen devices must be reported immediately to the CISO.
4. Approved Software
Section titled “4. Approved Software”| Category | Approved Software |
|---|---|
| Browser | Google Chrome (primary), Safari, Firefox |
| Communication | Google Workspace, Slack |
| Development | VS Code, terminal emulators, Git, Docker, language runtimes |
| Password Management | 1Password |
| Endpoint Security | CrowdStrike Falcon |
Software not listed requires CTO or CISO approval before installation.
5. Prohibited Activities
Section titled “5. Prohibited Activities”Software and Systems
Section titled “Software and Systems”- Installing unauthorized software, browser extensions, or plugins
- Disabling or tampering with CrowdStrike or other security software
- Using personal cloud storage (Dropbox, personal Google Drive, iCloud) for company data
- Running cryptocurrency mining software
- Installing peer-to-peer file sharing software
Data Handling
Section titled “Data Handling”- Storing company data on personal devices or unauthorized cloud services
- Sharing credentials, API keys, or tokens with anyone (use 1Password sharing)
- Copying customer data to local devices, personal storage, or unauthorized systems
- Transmitting Confidential or Restricted data via personal email, SMS, or unauthorized messaging apps
Security
Section titled “Security”- Circumventing access controls, authentication, or authorization mechanisms
- Performing unauthorized security testing, scanning, or penetration testing
- Accessing systems or data beyond assigned authorization
- Sharing or reusing passwords across systems
- Leaving devices unlocked and unattended
Communication
Section titled “Communication”- Using company channels for harassment, discrimination, or threats
- Impersonating other employees or external parties
- Sending spam or bulk unsolicited messages from company systems
6. BYOD Device Requirements
Section titled “6. BYOD Device Requirements”All work devices are personally owned under the BYOD Endpoint Security Policy. Devices meeting minimum requirements may access all company systems appropriate to the user’s role per the Access Control Policy.
All devices must have:
- Screen lock enabled (5-minute inactivity maximum)
- Current OS with security updates enabled
- MFA on all company accounts
- CrowdStrike Falcon sensor active
- 1Password installed and configured
7. Reporting Obligations
Section titled “7. Reporting Obligations”Report immediately to the CISO via Slack #security or direct message:
- Lost or stolen company devices
- Suspected phishing or social engineering attempts
- Suspected unauthorized access to systems or data
- Observed policy violations
- Security vulnerabilities in company systems
- Suspicious software behavior on company devices
- Any communication from someone claiming to be law enforcement requesting data access
Good-faith reports are protected — no retaliation.
8. Remote Work Requirements
Section titled “8. Remote Work Requirements”- Use WPA2 or WPA3 encrypted WiFi; use VPN on public WiFi
- Home routers must use a strong, unique password
- Use a privacy screen when handling Confidential or Restricted data in shared spaces
- Lock screen when stepping away; do not allow non-employees to use company devices
- Secure devices when traveling (hotel safe, locked bag)
- Ensure calls and video meetings discussing sensitive information cannot be overheard
9. Enforcement
Section titled “9. Enforcement”Violations are subject to disciplinary actions per the Information Security Policy, up to and including termination. Serious violations may result in legal action.
10. Acknowledgment
Section titled “10. Acknowledgment”All personnel must acknowledge this policy within 30 days of hire and annually thereafter.
11. Related Documents
Section titled “11. Related Documents”- BYOD Endpoint Security Policy
- Information Security Policy
- Access Control Policy
- Data Classification Policy
- Onboarding Checklist
Meridian Seven — Confidential