Acceptable Use Policy¶
This is the one security policy everyone at Holmes needs to read. It covers how to behave with Holmes technology and information day to day. Follow it and you've met your obligations. The more technical policies behind it are for the people who build and run our systems. Where something needs detail, this policy links to it rather than repeating it.
It contains only rules about your own behaviour. How systems are configured is IT's and the System Owners' job, not yours, and lives in the control policies.
1. The essentials¶
Five things to remember:
- Treat information as Confidential by default. Client and Holmes information is confidential unless it's clearly public. Handle it per Information Classification.
- Keep work on Holmes systems. Use approved tools and accounts, not personal email, personal cloud, or unapproved apps.
- Protect your identity. Strong unique credentials, the password manager, no sharing, MFA everywhere. See Identity & Access.
- Think before you click, paste, or send. Email and AI prompts are the two easiest ways to leak or get phished.
- Report anything odd, fast. A lost laptop, a suspicious email, a document you can see but shouldn't. Reporting early is never the wrong call. See Incident Response.
2. Handling information¶
| Ref | Requirement |
|---|---|
| AUP.1 | You MUST handle information according to its classification (02), Confidential by default. |
| AUP.2 | You MUST store and share Holmes information only on approved systems, and MUST NOT use personal cloud, personal email, or personal accounts for it. |
| AUP.3 | You MUST protect confidential information off-site. Keep devices and documents secure and not left unattended. |
| AUP.4 | You MUST report any suspected exposure of information as soon as you're aware, including anything you can access that your role shouldn't allow. |
3. Identity and devices¶
| Ref | Requirement |
|---|---|
| AUP.5 | You MUST protect your accounts as set out in Identity & Access: MFA, the Holmes password manager, no password sharing (including with IT), and no reuse of work passwords elsewhere. |
| AUP.6 | You MUST keep devices locked when unattended and secure when travelling (06 Endpoint & Mobile). |
| AUP.7 | You MUST report a lost or stolen device immediately. Holmes may remotely remove its data. 06 explains how this differs for personal and Holmes devices. |
| AUP.8 | You MUST NOT install software, or bypass security controls like allowlisting, filtering, or MFA, on Holmes devices without authorisation. |
4. Email, messaging and AI¶
| Ref | Requirement |
|---|---|
| AUP.9 | You MUST treat unexpected attachments and links with caution and use the Report button for anything suspicious (08 Email & Messaging). |
| AUP.10 | You MUST NOT auto-forward Holmes email to external addresses, send from someone else's account without authorisation, or forge messages. |
| AUP.11 | You MUST use AI tools only as set out in AI Systems Usage: approved tools for Holmes information, free or public AI for genuinely public information only. |
| AUP.12 | You MUST NOT expose secrets (passwords, keys, tokens, certificates) outside the approved password manager or secret store. If a secret is exposed, report it and get it rotated (12). |
5. Conduct¶
| Ref | Requirement |
|---|---|
| AUP.13 | You MUST NOT create, store, or send material that's unlawful, or that could reasonably be seen as abusive, offensive, or objectionable. |
| AUP.14 | You MUST NOT use Holmes systems to infringe others' rights (copyright, trade secrets, IP) or to run a private business. |
| AUP.15 | You SHOULD keep personal use reasonable and use good judgement. Occasional personal use is fine. It must not interfere with work, use undue resources, or breach these policies. |
| AUP.16 | Personal use of AI tools on Holmes devices follows the same rules as work use (05). There's no separate, looser standard for personal AI on a Holmes machine. |
| AUP.17 | You SHOULD be careful what you post about Holmes on social and internal channels. Keep confidentiality, respect colleagues and clients, and get consent before posting photos of people. |
| AUP.18 | Holmes information and software on any device used for work, yours or ours, stays Holmes property. On leaving, you MUST return or remove Holmes information from personal devices. Holmes will remove its data from managed devices (06). |
6. The two things people get wrong¶
Can I paste this into ChatGPT, Copilot, or Claude? Only if it's genuinely public, or you're using an approved tool for Holmes work per 05. When unsure, treat it as Confidential and don't. The approved tools exist so you rarely need the free ones.
A client emailed me a confidential file. Receiving it is fine. File it into the project system so it's protected and retained, rather than leaving it in your inbox (02, section 5).
7. A note on off-site device use¶
Holmes devices are meant to travel with you. There's no need to seek authorisation to take a laptop off-site. Your obligations are simply to keep it secure, keep it locked, report loss immediately, and not let others use it.
Related policies¶
00 Framework, 02 Information Classification, 03 Identity & Access, 05 AI Systems, 06 Endpoint & Mobile, 08 Email & Messaging, 12 Incident Response.