🛡️ Responsible System Usage Through Clear Expectations
🎯 Professional Standards for Information Technology Resources
📋 Document Owner: CEO | 📄 Version: 1.1 | 📅 Last Updated: 2026-01-25 (UTC)
🔄 Review Cycle: Annual | ⏰ Next Review: 2027-01-25
Hack23 AB's acceptable use policy demonstrates how clear behavioral expectations and professional standards directly support security excellence and business integrity. Our systematic approach to technology use serves as both operational necessity and client demonstration of our cybersecurity consulting expertise.
As a cybersecurity consulting company, our commitment to responsible system usage showcases how comprehensive acceptable use standards create competitive advantages through protected assets, maintained reputation, and demonstrated security culture. Our transparent acceptable use framework serves as a reference for clients seeking to establish their own usage policies.
This policy establishes mandatory behavioral expectations for using Hack23 AB information systems and technology resources, supporting compliance with data protection regulations, employment law, and industry security standards.
— James Pether Sörling, CEO/Founder
This policy establishes clear rules and behavioral expectations for the appropriate and secure use of Hack23 AB's information technology resources, ensuring protection of company assets, data confidentiality, and compliance with legal and regulatory requirements.
This policy applies to:
- All information systems documented in 💻 Asset Register
- All company-owned and personal devices used for business purposes
- All network and cloud infrastructure access
- All software development activities and business operations
- The CEO/Founder as the sole employee and all future personnel
- External contractors and partners accessing Hack23 AB systems
Hack23 AB operates as a single-person Swedish company with the CEO/Founder serving as the sole employee. All business operations are conducted from a home office environment with cloud-based infrastructure. This unique context requires acceptable use policies that:
- Acknowledge the dual role of CEO as both policy maker and policy follower
- Address work-from-home specific considerations
- Balance professional standards with practical single-person operations
- Demonstrate security culture to clients despite minimal organizational hierarchy
- Maintain audit-ready documentation for compliance and consulting credibility
All information technology resources are provided primarily for business purposes supporting:
- Software development and cybersecurity consulting operations
- Client project delivery and professional service excellence
- Business administration and compliance activities
- Professional development and industry research
Single-Person Company Context: As the sole employee, the CEO maintains discretion in balancing professional and limited personal use while maintaining documented security standards for client demonstration and audit purposes.
All system usage must comply with security controls defined in:
- 🔐 Information Security Policy - Overall security framework
- 🔑 Access Control Policy - Authentication and authorization
- 🔒 Cryptography Policy - Data protection standards
- 🌐 Network Security Policy - Network access controls
- 🛠️ Secure Development Policy - Development practices
All usage must comply with applicable laws and regulations including:
- GDPR: Personal data protection and privacy requirements
- NIS2 Directive: Network and information security requirements for essential services
- EU Cyber Resilience Act: Security requirements for products with digital elements
- Copyright Law: Respect for intellectual property rights
- Employment Law: Professional conduct standards
- Computer Crime Laws: Prohibition against unauthorized access
- Export Controls: Restrictions on cryptography and technology transfer
All technology use reflects professional standards appropriate for:
- A cybersecurity consulting company demonstrating security culture
- Open-source project maintainer with public GitHub presence
- Professional business relationships with clients and partners
- Regulatory compliance and audit readiness
✅ Acceptable:
- Using strong, unique passwords for each system per Access Control Policy
- Enabling multi-factor authentication (MFA) on all business-critical systems
- Using approved password managers for credential storage
- Following least privilege access principles
- Logging out of sessions when leaving devices unattended
- Using company-approved devices and secure networks
❌ Prohibited:
- Sharing credentials or authentication tokens with third parties
- Using weak or reused passwords across multiple systems
- Disabling security features (antivirus, firewall, encryption)
- Storing credentials in plaintext files or unencrypted storage
- Accessing systems from untrusted or public networks without VPN
- Circumventing access control or security monitoring systems
✅ Acceptable:
- Handling data according to Classification Framework
- Encrypting sensitive data in transit and at rest per Cryptography Policy
- Following GDPR requirements for personal data per Privacy Policy
- Using approved cloud storage with appropriate security controls
- Backing up critical business data per Backup & Recovery Policy
- Securely deleting data when no longer needed
❌ Prohibited:
- Storing sensitive business data on unencrypted personal devices
- Sharing confidential information via unencrypted channels
- Downloading or storing customer data without business justification
- Using public file sharing services for sensitive business data
- Ignoring data classification labels and protection requirements
- Failing to report suspected data breaches immediately
✅ Acceptable:
- Using licensed software with valid commercial or open-source licenses
- Following Open Source Policy for open-source software
- Keeping software updated per Vulnerability Management
- Using software documented in Asset Register
- Installing security patches within defined timeframes
- Using development tools for approved business purposes
❌ Prohibited:
- Using unlicensed, pirated, or cracked software
- Installing unauthorized software without security assessment
- Using software for illegal activities or license violations
- Ignoring security updates and vulnerability patches
- Using end-of-life software without documented risk acceptance
- Installing software that conflicts with security policies
✅ Acceptable:
- Browsing professional websites for business purposes
- Using secure (HTTPS) connections for sensitive transactions
- Following email security practices (verify sender, avoid phishing)
- Downloading files from trusted sources only
- Using approved VPN when accessing business systems remotely
- Reasonable personal use during breaks (news, email, social media)
❌ Prohibited:
- Accessing illegal, malicious, or inappropriate websites
- Downloading pirated content, malware, or unauthorized software
- Clicking suspicious links or opening untrusted email attachments
- Using company resources for illegal activities
- Engaging in activities that harm company reputation
- Excessive personal use that impacts business productivity
✅ Acceptable:
- Following secure development practices per Secure Development Policy
- Using version control for all code changes (Git/GitHub)
- Conducting security testing before production deployment
- Following Change Management procedures
- Documenting changes and maintaining audit trails
- Using separate development, testing, and production environments
❌ Prohibited:
- Making uncontrolled changes to production systems
- Bypassing code review and testing procedures
- Hardcoding credentials or secrets in source code
- Committing sensitive data to version control
- Using production data in development without anonymization
- Disabling security features for "convenience"
✅ Acceptable:
- Following Mobile Device Management Policy requirements
- Using encrypted storage on mobile devices
- Enabling device lock screens with strong passwords/biometrics
- Installing security updates promptly
- Reporting lost or stolen devices immediately
- Using secure home office network per Physical Security Policy
❌ Prohibited:
- Jailbreaking or rooting mobile devices used for business
- Storing unencrypted business data on mobile devices
- Using unsecured public Wi-Fi for sensitive business access
- Failing to report device theft or loss
- Disabling device encryption or security features
- Mixing business and high-risk personal activities on same device
✅ Acceptable:
- Maintaining professional communication standards
- Representing Hack23 AB positively in public forums
- Sharing open-source contributions and technical content
- Using social media for marketing and professional networking
- Clearly separating personal opinions from company positions
- Following disclosure policies for security research
❌ Prohibited:
- Sharing confidential business information publicly
- Making unauthorized statements on behalf of the company
- Engaging in harassment, discrimination, or inappropriate behavior
- Posting content that harms company reputation
- Disclosing security vulnerabilities before responsible disclosure
- Using company channels for personal political advocacy
The following activities are ABSOLUTELY PROHIBITED and may result in legal action:
-
🔴 Illegal Activities
- Hacking, unauthorized access, or computer crimes
- Software piracy or copyright infringement
- Fraud, theft, or embezzlement
- Illegal content (child exploitation, terrorism, etc.)
- Money laundering or financial crimes
-
🔴 Malicious Actions
- Introducing malware, viruses, or malicious code
- Denial of service attacks or network sabotage
- Data theft or unauthorized data exfiltration
- Sabotaging systems or destroying data
- Circumventing security controls maliciously
-
🔴 Data Breaches
- Intentional unauthorized disclosure of sensitive data
- Selling or sharing company confidential information
- Violating customer privacy or GDPR requirements
- Unauthorized access to systems or data
- Negligent data handling causing security incidents
-
🔴 Harassment and Discrimination
- Creating hostile or intimidating communications
- Discrimination based on protected characteristics
- Sexual harassment or inappropriate content
- Cyberbullying or threatening behavior
- Retaliation against those reporting violations
-
🔴 Reputation Damage
- Deliberate actions harming company reputation
- Misrepresenting company positions or capabilities
- Engaging in unethical business practices
- Disclosing false information about the company
- Using company resources for competing business
As a single-person company, the CEO maintains reasonable discretion for personal use of business resources while maintaining:
- Security Standards: All personal use must follow security policies
- Professional Conduct: Usage must not harm business reputation
- Legal Compliance: All activities must comply with applicable laws
- Resource Management: Personal use must not impact business operations
- Documentation: Maintain audit-ready documentation for compliance
Examples of Reasonable Personal Use:
- ✅ Checking personal email during breaks
- ✅ Brief personal internet browsing (news, social media)
- ✅ Personal learning and skill development
- ✅ Open-source contributions to non-competing projects
- ✅ Professional networking on social media
Examples of Unacceptable Personal Use:
- ❌ Operating competing business on company infrastructure
- ❌ Excessive personal use impacting business productivity
- ❌ Personal use that violates security policies
- ❌ Activities that risk business reputation or legal compliance
- ❌ Resource-intensive personal projects affecting business systems
Hack23 AB implements monitoring for security, compliance, and business purposes:
✅ Monitored Activities:
- System access and authentication attempts
- Network traffic and security events
- Cloud infrastructure usage and changes
- Code repository commits and changes
- Security tool alerts and anomalies
- Backup success and failure events
🎯 Monitoring Purpose:
- Detect and respond to security incidents per Incident Response Plan
- Ensure compliance with security policies
- Investigate suspected policy violations
- Maintain audit trails for compliance and consulting credibility
- Track security metrics per Security Metrics
- Support business continuity and disaster recovery
🔐 Privacy Protections:
- Monitoring focused on security and business purposes
- No expectation of privacy for business systems
- Personal data handled per Privacy Policy
- Monitoring data retention per Data Classification Policy
- Single-person company context means no employee surveillance concerns
Monitoring data is retained and accessed according to:
- Retention: Per Data Classification Policy requirements
- Access: CEO/Founder as sole employee has full access
- Privacy: Third-party service logs protected per vendor agreements
- Compliance: Audit trails maintained for regulatory requirements
- Security: Monitoring data classified per Classification Framework
Reporting Mechanisms:
- Security Incidents: Follow Incident Response Plan
- Policy Violations: Contact CEO directly (self-reporting for single-person company)
- External Concerns: Email security@hack23.com
- Anonymous Reporting: GitHub security advisories for public projects
What to Report:
- Suspected security breaches or incidents
- Policy violations or unethical conduct
- System vulnerabilities or misconfigurations
- Lost or stolen devices containing business data
- Suspected malware or phishing attempts
- Unusual system behavior or access attempts
Single-Person Company Context: As the sole employee, the CEO is responsible for self-reporting and documenting any policy concerns, security incidents, or compliance issues to maintain audit readiness and demonstrate security culture to clients.
- Documentation: Record all relevant details of the incident or violation
- Assessment: Evaluate severity and business impact per Risk Assessment Methodology
- Response: Follow Incident Response Plan procedures
- Remediation: Implement corrective actions and update security controls
- Lessons Learned: Document findings and improve policies
- Transparency: Maintain audit trail for compliance and client demonstration
Single-Person Company Acknowledgment:
As the CEO/Founder and sole employee of Hack23 AB, I acknowledge:
- Understanding of this Acceptable Use Policy and its requirements
- Commitment to following all security policies and procedures
- Responsibility for maintaining professional standards
- Obligation to report security incidents and policy concerns
- Understanding that policy violations may harm business reputation and compliance posture
- Commitment to demonstrating security culture to clients through personal conduct
Documentation:
- Policy review documented annually per review cycle
- Self-assessment conducted during policy review
- Updates made based on business changes and regulatory requirements
- Acknowledgment maintained as part of ISMS documentation
This policy is reviewed annually or when significant changes occur:
Review Triggers:
- Annual review cycle
- Regulatory changes (GDPR, employment law, etc.)
- Security incidents requiring policy updates
- Business model changes (hiring employees, new services)
- Technology changes (new systems, cloud services)
- Client feedback or audit findings
Update Process:
- Review current policy effectiveness
- Assess changes in business context and threats
- Update policy content and related documents
- Document changes and rationale
- Communicate updates (self-notification for single-person company)
- Update acknowledgment and training materials
Single-Person Company Training Approach:
As a CISM/CISSP certified cybersecurity professional, the CEO maintains awareness through:
- Professional Certifications: CISM, CISSP maintenance requirements
- Industry Publications: Security blogs, threat intelligence, vendor advisories
- Conference Participation: Attending security conferences and webinars
- Peer Learning: Professional security community engagement
- Vendor Training: Cloud platform and security tool training
- Regulatory Updates: Monitoring GDPR, NIS2, and compliance changes
Knowledge Areas:
- Current threat landscape and attack techniques
- Security best practices for development and operations
- GDPR and privacy requirements for software products
- Cloud security and AWS Well-Architected Framework
- Secure development lifecycle and DevSecOps
- Incident response and business continuity
- 🎯 Information Security Strategy - AI-first operations, Pentagon framework, and strategic acceptable use direction
- 🔐 Information Security Policy - Overall security framework with AI-First Operations Governance
- 🤖 AI Policy - AI-assisted systems usage governance and acceptable AI practices
- 🏷️ Classification Framework - Risk and impact classification
- 🔑 Access Control Policy - Authentication and authorization standards
- 🏠 Physical Security Policy - Home office security requirements
- 📱 Mobile Device Management Policy - Mobile device standards
- 🛠️ Secure Development Policy - Development practices
- 🌐 Network Security Policy - Network access standards
- 🔒 Cryptography Policy - Encryption and data protection
- 🏷️ Data Classification Policy - Data handling requirements
- 🔐 Privacy Policy - Personal data protection
- 🚨 Incident Response Plan - Security incident procedures
- 💻 Asset Register - Systems and software inventory
- 📊 Security Metrics - Monitoring and compliance tracking
📋 Document Control:
✅ Approved by: James Pether Sörling, CEO
📤 Distribution: Public
🏷️ Classification:
📅 Effective Date: 2026-01-25
⏰ Next Review: 2027-01-25
🎯 Framework Compliance: 
