Cyber Risk Policy Framework - Staff and Contractor Obligations

All Personnel: Comply with all cyber risk policies and standards; complete required security awareness training; report suspected security incidents, vulnerabilities, or policy violations to [CUSTOMIZE: Security Team / IT Help Desk]; protect assigned credentials and access tokens; handle data according to its classification level.

People Managers: Ensure direct reports complete required security training; enforce policy compliance within their teams; ensure access is revoked for departing personnel within [CUSTOMIZE: same business day]; participate in security awareness activities as directed.

System and Data Owners: Maintain accurate inventories of owned systems and data; ensure appropriate security controls are implemented; authorize and review access to owned systems; ensure compliance with applicable regulatory requirements.

Contractors and Third-Party Personnel: Comply with all [ORGANIZATION] cyber risk policies as a condition of engagement; complete [ORGANIZATION]-specific security orientation; immediately report any security incidents involving [ORGANIZATION] data or systems to [CUSTOMIZE: Vendor Management / Security Team].

IT and Security Personnel: Implement and maintain security controls; monitor systems for security events; respond to incidents per established playbooks; maintain current knowledge of threats and vulnerabilities.

All personnel shall use [ORGANIZATION] information systems only for authorized purposes and in compliance with all applicable policies.

All personnel shall protect [ORGANIZATION] data according to its classification and shall not share, transmit, or store data using unauthorized methods or systems.

All personnel shall use unique individual credentials and shall not share, reuse, or expose authentication credentials.

All personnel shall lock workstations when unattended and physically secure portable devices containing [ORGANIZATION] data.

All personnel shall complete all assigned cybersecurity training within [CUSTOMIZE: 30 days] of assignment and maintain current training status at all times.

All personnel shall report suspected phishing, social engineering, malware, unauthorized access, or data exposure to [CUSTOMIZE: Security Team / IT Help Desk] immediately upon discovery.

All personnel shall cooperate with security investigations and audits as requested.

Personnel shall not install, execute, or deploy unauthorized software, hardware, or services on [ORGANIZATION]-managed systems without prior approval from [CUSTOMIZE: IT Security].

Personnel shall not disable, bypass, or interfere with security controls, monitoring agents, or protective technologies.

Personnel shall not access systems, data, or facilities for which they have not been explicitly authorized.

Personnel shall not remove [ORGANIZATION] data from approved systems and storage without authorization from the data owner.

Personnel shall not connect personal or unauthorized devices to [ORGANIZATION]'s internal network segments without approval from [CUSTOMIZE: IT Security].

Personnel shall not use [ORGANIZATION] systems for illegal activities, harassment, unauthorized data collection, or any purpose that violates applicable laws or [ORGANIZATION] policies.

Personnel shall not represent themselves to external parties in a security capacity unless specifically authorized to do so.

[ORGANIZATION] takes cyber risk policy compliance seriously. Non-compliance may result in one or more of the following actions, depending on the nature and severity of the violation:

Verbal warning and mandatory remedial training (Minor first-time violations)

Written warning placed in personnel file (Repeated minor violations or moderate violations)

Suspension or restriction of system access privileges (Significant violations or pending investigation)

Termination of employment or contract engagement (Serious violations, willful non-compliance, or violations resulting in material harm)

Civil or criminal legal action (Violations involving illegal activity, fraud, or intentional data theft)

For contractors: Contract penalties and/or termination as specified in the service agreement

The [CUSTOMIZE: HR Department / Legal Team] in consultation with [CUSTOMIZE: CISO / Security Team] shall determine the appropriate consequence based on the violation circumstances.

All enforcement actions shall be documented and retained per the records retention schedule.

All personnel shall acknowledge this policy upon initial onboarding and at least [CUSTOMIZE: annually] thereafter through the designated acknowledgment process.

Acknowledgment records shall be maintained by [CUSTOMIZE: HR / Security Team] and made available for audit upon request.

Contractors and third-party personnel shall acknowledge this policy as part of the onboarding process managed by [CUSTOMIZE: Vendor Management / Procurement].

Failure to complete policy acknowledgment within [CUSTOMIZE: 14 days] of request shall result in suspension of system access until acknowledgment is obtained.