CIS Controls v8.1 Acceptable Use Policy Template

Users will typically be required to read the document, confirm their understanding, and sign before they are given access to enterprise assets, data, and other resources. These user agreements are typically meant to apply throughout the enterprise, but it is sometimes necessary for project-specific and business unit-specific agreements to exist. The rules defined within this document must be regularly updated to meet the enterprise’s needs, and regularly enforced. Acceptable Use Policies help to reduce risk and educate users on current company policy. Therefore, they need to be written in such a way as to be easy to understand and follow by all readers, regardless of their level of technical expertise.

Policy Template Purpose

The CIS Critical Security Controls® (CIS Controls®) recommends several policies that an enterprise should have in place as foundational elements of its cybersecurity program. The CIS Controls Information Security Policy Working Group worked to develop policies to support the CIS Controls. Once the initial scope of the Working Group was completed, the Working Group recommended that an Acceptable Use Policy template also be created. This policy template exists outside the typical topics covered within the CIS Controls, since the CIS Controls do not address acceptable use. If desired, enterprises are encouraged to use this policy template in whole or in part. The specific content of an Acceptable Use Policy varies widely. With that said, it’s often considered best practice to include what a user is permitted to do with enterprise data, how the enterprise assets can be used, and how enterprise data can be transmitted to other parties.