Skip to main content

Acceptable Use Policy (A.5.10)

Document ID: acceptable-use-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual

Purpose

Define acceptable and unacceptable use of SigmaShake information systems, devices, and data to protect the organisation and its customers.

Scope

Applies to all personnel accessing SigmaShake systems (currently: founder/CEO). Future employees or contractors must acknowledge this policy before gaining access.

Acceptable use

  • Using SigmaShake systems for legitimate business purposes related to the development, operation, and support of the SigmaShake platform
  • Accessing only data and systems for which you are authorised
  • Using MFA-protected accounts for all production access
  • Reporting security incidents and vulnerabilities promptly

Unacceptable use

The following are prohibited:

  • Unauthorised data access — Accessing customer data beyond what is required for the specific task
  • Credential sharing — Sharing passwords, API tokens, or MFA codes with any other person
  • Shadow IT — Deploying production services outside the declared system inventory without approval and registration in the asset inventory
  • Data exfiltration — Copying production or customer data to unencrypted or unauthorised storage
  • Misrepresentation — Falsifying compliance evidence or audit records
  • Bypassing controls — Disabling security controls, skipping pre-commit hooks, or using --no-verify flags without documented justification
  • Personal use of Restricted credentials — Using production API keys or signing keys for personal projects

Device requirements

  • All devices used for production access must comply with the Endpoint Posture requirements (A.8.1, A.6.7)
  • Disk encryption mandatory (FileVault / BitLocker / LUKS)
  • OS patches applied within 30 days of release
  • Screen lock activates within 5 minutes of inactivity

Reporting violations

Security violations must be reported immediately via the incident register in the compliance portal. Suspected customer data breaches must be reported to the founder within 1 hour.

Consequences

Policy violations may result in access revocation, corrective action, or in severe cases, legal action.