All templates
Company PoliciesPolicyUS edition

IT Acceptable Use Policy template

An IT acceptable use policy is the written set of rules for how staff use {{org.name}}'s systems, devices, email, and internet access — what is allowed, what is prohibited, and what to do when something goes wrong. It is the document you reach for when an account is compromised, a laptop goes missing, or someone's use of company systems becomes a problem.

Free to use
US-focused
Updated 13 July 2026
UK version →

Most security incidents start with ordinary user behavior: a reused password, a phishing link, work files copied to a personal account. A short, trained acceptable use policy is the cheapest security control a small business can deploy — and without one, disciplining misuse is an uphill argument, because nobody can point to the rule that was broken.

This template gives you the full policy: acceptable and unacceptable use, password and device security, personal use and monitoring, and an incident reporting procedure.

The template

Full text, ready to adapt.

Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.

IT Acceptable Use Policy

Policy · Company Policies

1. Purpose and scope

This policy sets the rules for using {{org.name}}'s IT systems: computers, phones, email, internet access, software, and the cloud services we provide, including [list main systems]. It applies to all employees, contractors, and anyone else given access, whether working on site or remotely.

This policy is a statement of expectations, not a contract. It does not create a contract of employment, express or implied, and it does not change the at-will nature of employment at {{org.name}} — either you or the company may end the employment relationship at any time, with or without cause or notice, except where the law provides otherwise.

2. Policy statement

{{org.name}} provides IT systems so people can do their jobs. We expect everyone to use them lawfully, securely, and professionally. Reasonable personal use is permitted within the limits below, but the systems remain company property and business needs come first.

Nothing in this policy prohibits employees from discussing wages, hours, or working conditions with each other, or from exercising any other right protected by law.

3. Responsibilities

  • Policy owner ([name/role]): keeps this policy current, approves exceptions in writing, and reviews incidents.
  • IT lead ([name/role or provider]): manages accounts and access rights, applies security updates, and responds to reported incidents.
  • Managers: confirm their team has read this policy, and request access changes when people join, change roles, or leave.
  • All users: follow the rules, complete required training, and report anything suspicious without delay.

4. Acceptable use

  • Work under your own named account — never use someone else's login, and never lend yours.
  • Use only software and cloud services approved by [IT lead/role]; ask before installing anything new.
  • Store work files in [approved location, e.g. the company drive], not on desktops, USB drives, or personal cloud accounts.
  • Lock your screen whenever you leave a device unattended, on site or at home.
  • Keep business communication in company email and messaging so records stay in company systems.

5. Unacceptable use

  • Sharing your password or credentials with anyone, including colleagues and managers.
  • Accessing, storing, or sending material that is illegal, discriminatory, pornographic, or likely to harass or offend — the anti-harassment policy applies on screen exactly as it does in person.
  • Sending company or customer data to personal email accounts or personal storage.
  • Attempting to access systems, records, or accounts you are not authorized to use — this can also be a federal crime.
  • Disabling security controls such as antivirus software, screen locks, or device encryption.
  • Using company systems to run a personal business or for any other unlawful activity.

6. Passwords, devices and security basics

  • Use a strong, unique password for every company account, and change it immediately if you suspect anyone else knows it.
  • Turn on multi-factor authentication wherever [IT lead/role] has made it available.
  • Treat unexpected messages asking for logins, payments, or urgent action as suspect — verify through a second channel before acting.
  • Install security updates promptly; do not postpone them for more than [number] days.
  • Report lost or stolen devices to [name/role] immediately, at any hour — speed limits the damage.

7. Personal use and monitoring

Reasonable personal use of email and the internet is allowed during breaks, provided it does not interfere with work, use significant resources, or involve anything listed as unacceptable use. Personal use is a privilege we can restrict for operational reasons.

{{org.name}} monitors its systems only to the extent needed for security, legal compliance, and operational management — currently [describe: spam filtering, web filtering logs, access logs]. Users should have no expectation of privacy in anything created, sent, received, or stored on company systems. We do not routinely read personal messages, and any targeted review needs authorization from [senior role] and is recorded. Some states require specific notice of electronic monitoring — check your state and local authority and match this section to what your tools actually do.

8. Security incidents, records and review

Signed acknowledgments, training records, and the incident log are kept in [system/location]. This policy is reviewed [frequency, e.g. annually] and after any significant incident. Owner: [name/role]. Next review: [date].

  1. 1Report suspected incidents — a clicked phishing link, a lost device, an email to the wrong recipient, unusual account activity — to [name/role] immediately. Nobody will be criticized for reporting an honest mistake quickly.
  2. 2[Name/role] contains the incident: isolating devices, resetting credentials, and preserving evidence.
  3. 3If personal data may be exposed, follow the data breach response procedure — state breach notification laws vary, so [name/role] checks the current requirements for the states where affected people live.
  4. 4Record the incident, its cause, and the fix in [log/system], and feed lessons back into training.
Make it yours

How to adapt this template.

1

List the systems people actually use before editing — the policy should name real tools, not generic categories.

2

Agree the monitoring paragraph with whoever runs your IT, check your state's notice rules for electronic monitoring, and describe only what your tools actually do.

3

Decide your position on personal use and state it plainly — vague tolerance is where disputes start.

4

Read the unacceptable use list against the NLRA caution: rules should target misuse, never employee conversation about working conditions.

5

Fill every [bracketed placeholder], and name a real person for incident reports with a deputy for absences.

6

Collect a signed or digital acknowledgment from every user — an unacknowledged IT policy is hard to enforce.

A document is not a system

Turn this template into trained, proven behaviour

A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.

IT Acceptable Use Policy template FAQs

Is an IT acceptable use policy legally required in the US?

No federal law names one. But an employer that disciplines someone for misusing systems without a written, communicated rule is arguing uphill, and customers, insurers, and auditors increasingly expect basic written security rules. It is the cheapest security control most small businesses can deploy.

Can we monitor employees' email and internet use?

Employers can generally monitor activity on their own systems, especially with clear notice — which is why this template tells users not to expect privacy on company systems. But notice and consent rules vary by state, and a few states require specific disclosures before monitoring, so check your state and local authority and keep the monitoring section accurate to what you actually do.

Can an acceptable use policy ban employees from discussing work on company systems?

Be careful here. The National Labor Relations Act protects most private-sector employees' right to discuss wages and working conditions with each other, union or not, and a rule broad enough to reach that discussion can draw a federal challenge. Target the policy at genuine misuse — harassment, data theft, security violations — not at conversation.

What should staff do if they click a phishing link?

Report it to the named contact immediately, even outside working hours, and never try to fix it quietly. Fast reporting is the biggest single factor in limiting damage, which is why this template promises staff they will not be criticized for reporting an honest mistake promptly.

How often should an acceptable use policy be reviewed?

At least annually, after any significant security incident, and whenever you adopt a major new system or way of working. A policy that still describes tools you retired two years ago teaches staff to ignore it.