Acceptable Use Policy
Veridian Corp — Technology Resources Usage Standards
| Document ID | AUP-001 |
| Version | 3.0 |
| Effective Date | January 15, 2026 |
| Owner | IT Security Team |
| Scope | All employees, contractors, vendors with system access |
Permitted and Prohibited Use
Company systems and networks must be used primarily for legitimate business purposes.
Employees must not use company systems to access, store, or distribute illegal, offensive, or discriminatory content.
Installation of unauthorized software on company devices is prohibited; all software must be approved and deployed by IT.
Company internet connections must not be used for torrenting, cryptocurrency mining, or streaming services unrelated to work.
Employees must not attempt to circumvent, disable, or tamper with security controls, monitoring tools, or access restrictions.
Monitoring and Privacy
Employees should have no expectation of privacy when using company-owned systems, networks, or equipment.
Veridian Corp reserves the right to monitor, log, and audit all activity on company systems without prior notice.
Access logs, email records, and system activity may be reviewed as part of security investigations or compliance audits.
Employees must not attempt to delete, alter, or conceal their activity on company systems.
Software Installation
All software must be licensed; installation of pirated or unlicensed software is a terminable offense.
Browser extensions must be reviewed and approved by IT Security before installation on company devices.
AI-powered tools and SaaS applications that process company data must receive IT Security and Legal approval before use.
Data Transfer
Company data must not be uploaded to personal cloud storage services (Google Drive personal, Dropbox personal, iCloud, etc.) under any circumstances.
Large data transfers (over 1GB) outside the corporate network require IT Security approval and logging.
USB storage devices must be encrypted and IT-approved; use of personal USB drives with company data is prohibited.
Device telemetry data and PHI must never be accessed, downloaded, or exported to personal devices or accounts under any circumstances.
Approved Software Whitelist (Excerpt)
| Software | Category | Approval Status | Data Classification Allowed | Approved By |
|---|---|---|---|---|
| Microsoft 365 | Productivity | Approved | Internal, Confidential | IT Security |
| Slack Enterprise | Communication | Approved | Internal only — no PHI | IT Security |
| Zoom Healthcare | Video Conferencing | Approved | PHI permitted with BAA | IT Security + DPO |
| GitHub Enterprise | Development | Approved | Internal — no PHI in repos | IT Security |
| MasterControl QMS | Quality Management | Approved | Confidential, FDA records | QA + IT Security |
| ChatGPT / OpenAI | AI Tool | Prohibited — no company data | None | IT Security |
| Personal Gmail | Prohibited | None | IT Security |
Software not on the approved whitelist must not be installed; requests for new software go through IT Security review via ServiceNow Form IT-APP-001.
AI & SaaS Tool Approval Matrix
| Tool Type | PHI Allowed | Confidential Allowed | Approval Required From | Review Cycle |
|---|---|---|---|---|
| General AI (ChatGPT, Claude, etc.) | Prohibited | Prohibited | Not approvable | — |
| Enterprise AI (Azure OpenAI, etc.) | With BAA | With assessment | CISO + DPO + Legal | Annual |
| Cloud Storage SaaS | With BAA | With DPA | IT Security + DPO | Annual |
| HR / Payroll SaaS | Employee PII only | Employee data | HR + IT Security | Annual |
Prohibited Activities — Enforcement Matrix
| Violation | First Offense | Repeat Offense | Report To |
|---|---|---|---|
| Unauthorized software installation | Written warning + removal | Termination | IT Security |
| PHI on personal device/cloud | Immediate termination review | Termination | DPO + HR |
| Security control circumvention | Termination | — | CISO |
| Crypto mining / torrenting | Written warning | Termination | IT Security |