Audit evidence packet
IT acceptable use
Owner: Marcus Sterling · State: Attestation open · Current version: v3
Generated for: Northstar Logistics Holdings · Prepared by: Riley Quintero (admin)
Policy
Authoritative metadata for POL-2031. This packet certifies that the policy is currently active, that the current version is v3, and that the attestation roster below reflects the state of compliance as of the printing date. Auditors should verify the publication date matches the reviewer-chain decision dates and that the attestation IP / timestamp pairs are consistent with the audit log.
- Code
- POL-2031
- Title
- Acceptable Use Policy
- Category
- IT acceptable use
- State
- Attestation open
- Effective
- Apr 16, 2026
- Next review
- Apr 16, 2027
- Expires
- Apr 16, 2027
- Substantive flag
- Substantive change detected
- AI summary (current version)
- AI summary: Acceptable Use Policy v3 — covers it acceptable use with updates to previous version. Recommended attestation cycle: annual.
- Audience(s)
- All employees (all)
Show current version body
# Acceptable Use Policy ## 1. Purpose This Acceptable Use Policy (AUP) defines the acceptable use of Northstar Logistics Holdings information systems, networks, and information resources by all employees, contractors, and temporary staff. It supports the company's commitment to information security, regulatory compliance (SOC 2 Type II, ISO 27001:2022), and operational integrity across our distribution network in Dallas, Long Beach, Newark, Rotterdam, and Hamburg. ## 2. Scope This policy applies to all Northstar employees, contractors, vendors with system access, all company-issued laptops, mobile devices, vehicle telematics terminals, all software and cloud services (Microsoft 365, Salesforce, our internal WMS), and personal devices used to access Northstar information (BYOD). ## 3. Acceptable use Authorized users may access information systems for legitimate business purposes, communicate with customers, partners, and colleagues via approved channels, install software from the corporate software catalog, and connect to corporate networks via approved VPN. ## 4. Prohibited use The following activities are strictly prohibited: unauthorized access to systems, data, or accounts; sharing of credentials or multi-factor authentication tokens; storage of customer PII on personal devices; use of consumer cloud storage (personal Dropbox, Google Drive) for company data; installation of unapproved software, browser extensions, or VPN tools. ## 5. Device encryption (SUBSTANTIVE CHANGE — added in v3) All endpoint devices accessing Northstar information must have full-disk encryption enabled (FileVault on macOS, BitLocker on Windows). Mobile devices must use device-level encryption with a passcode of at least 6 digits or a strong biometric. Loss or theft of an unencrypted device storing company data must be reported within 1 hour to security@northstarlogistics.com. This is a substantive change from v2 and triggers re-attestation for all assigned employees. ## 6. Enforcement Violations may result in disciplinary action up to and including termination of employment, contractor agreement, or vendor relationship. Repeated or severe violations may be reported to law enforcement. ## 7. Review cadence This policy is reviewed annually by Information Security, with substantive updates triggering an immediate re-attestation cycle. ## 8. Approver chain Author: Marcus Sterling · SME reviewer: Aisha Patel · Compliance reviewer: Diego Ortega · Executive approver: Hank Mendez.
Version history
Every version of POL-2031 with author, publication date, and substantive-change classification. Earlier versions are retired when a new one publishes. The substantive-change column reflects the AI classifier's decision on whether the change introduced new obligations (substantive) or only clarifications (cosmetic).
| Version | State | Author | Published | Retired | Substantive |
|---|---|---|---|---|---|
| v3 | Attestation open | Marcus Sterling | Apr 16, 2026 | — | Substantive |
| v2 | Retired | Marcus Sterling | Mar 17, 2026 | Mar 17, 2026 | Cosmetic |
| v1 | Retired | Marcus Sterling | Feb 15, 2026 | Feb 15, 2026 | Cosmetic |
Change impacts (AI-classified deltas)
- substantive: v2 → v3 (Apr 15, 2026). New device encryption obligation introduced in v3. AI substantive-change detector flagged this on save. Triggered re-attestation of all 92 prior attestations.
Attestation coverage
82 of 92 assigned employees have attested to POL-2031 version v3, for an overall coverage of 89%. 5 attestations are overdue past the due date — the daily cron reminder has fired and the compliance officer has been notified. The roster below shows the most recent 25 entries; the full roster is exportable to CSV via the audit-bundle Export action on the policy detail page.
Coverage by team
- Operations — Dallas10/1191%
- Operations — Long Beach9/1182%
- Operations — Newark9/1090%
- Engineering9/1090%
- Finance10/10100%
- HR & People Ops10/10100%
- Information Security8/1080%
- EU Operations — Rotterdam8/1080%
- EU Operations — Hamburg9/1090%
Attestation roster (sample)
| Employee | Code | Team | Country | State | Assigned | Due | Attested at | IP |
|---|---|---|---|---|---|---|---|---|
| Sarah Beck | EMP-1000 | Operations — Dallas | US | Attested | Apr 16, 2026 | May 9, 2026 | May 15, 2026 6:38 PM | 10.0.0.0 |
| Janet Liu | EMP-1002 | Operations — Newark | US | Attested | Apr 16, 2026 | May 9, 2026 | May 13, 2026 6:38 PM | 10.0.2.14 |
| Carlos Mendez | EMP-1003 | Engineering | US | Attested | Apr 16, 2026 | May 9, 2026 | May 12, 2026 6:38 PM | 10.0.3.21 |
| Priya Shah | EMP-1004 | Finance | US | Attested | Apr 16, 2026 | May 9, 2026 | May 11, 2026 6:38 PM | 10.0.4.28 |
| Ahmed Rahimi | EMP-1005 | HR & People Ops | US | Attested | Apr 16, 2026 | May 9, 2026 | May 10, 2026 6:38 PM | 10.0.5.35 |
| Olivia Becker | EMP-1006 | Information Security | US | Attested | Apr 16, 2026 | May 9, 2026 | May 9, 2026 6:38 PM | 10.0.6.42 |
| David Chen | EMP-1007 | EU Operations — Rotterdam | NL | Attested | Apr 16, 2026 | May 9, 2026 | May 8, 2026 6:38 PM | 10.0.7.49 |
| Ruby Williams | EMP-1008 | EU Operations — Hamburg | DE | Attested | Apr 16, 2026 | May 9, 2026 | May 7, 2026 6:38 PM | 10.0.8.56 |
| Mateo Silva | EMP-1009 | Operations — Dallas | US | Attested | Apr 16, 2026 | May 9, 2026 | May 6, 2026 6:38 PM | 10.0.9.63 |
| Anna Kowalski | EMP-1010 | Operations — Long Beach | US | Attested | Apr 16, 2026 | May 9, 2026 | May 5, 2026 6:38 PM | 10.1.10.70 |
| Liam O'Brien | EMP-1011 | Operations — Newark | US | Attested | Apr 16, 2026 | May 9, 2026 | May 4, 2026 6:38 PM | 10.1.11.77 |
| Emma Johansson | EMP-1012 | Engineering | US | Attested | Apr 16, 2026 | May 9, 2026 | May 3, 2026 6:38 PM | 10.1.12.84 |
| Noah Schmidt | EMP-1013 | Finance | US | Attested | Apr 16, 2026 | May 9, 2026 | May 2, 2026 6:38 PM | 10.1.13.91 |
| Sofia Rossi | EMP-1014 | HR & People Ops | US | Attested | Apr 16, 2026 | May 9, 2026 | May 1, 2026 6:38 PM | 10.1.14.98 |
| Maya Patel | EMP-1016 | EU Operations — Rotterdam | NL | Attested | Apr 16, 2026 | May 9, 2026 | Apr 29, 2026 6:38 PM | 10.1.16.112 |
| Owen Murphy | EMP-1017 | EU Operations — Hamburg | DE | Attested | Apr 16, 2026 | May 9, 2026 | Apr 28, 2026 6:38 PM | 10.1.17.119 |
| Lily Tran | EMP-1018 | Operations — Dallas | US | Attested | Apr 16, 2026 | May 9, 2026 | Apr 27, 2026 6:38 PM | 10.1.18.126 |
| Caleb Nakamura | EMP-1019 | Operations — Long Beach | US | Attested | Apr 16, 2026 | May 9, 2026 | Apr 26, 2026 6:38 PM | 10.1.19.133 |
| Isabella Romano | EMP-1020 | Operations — Newark | US | Attested | Apr 16, 2026 | May 9, 2026 | May 15, 2026 6:38 PM | 10.2.20.140 |
| Lucas Andersen | EMP-1021 | Engineering | US | Attested | Apr 16, 2026 | May 9, 2026 | May 14, 2026 6:38 PM | 10.2.21.147 |
| Mia Ferreira | EMP-1022 | Finance | US | Attested | Apr 16, 2026 | May 9, 2026 | May 13, 2026 6:38 PM | 10.2.22.154 |
| Henry Lindqvist | EMP-1023 | HR & People Ops | US | Attested | Apr 16, 2026 | May 9, 2026 | May 12, 2026 6:38 PM | 10.2.23.161 |
| Ava Goldberg | EMP-1024 | Information Security | US | Attested | Apr 16, 2026 | May 9, 2026 | May 11, 2026 6:38 PM | 10.2.24.168 |
| Daniel Brodsky | EMP-1025 | EU Operations — Rotterdam | NL | Attested | Apr 16, 2026 | May 9, 2026 | May 10, 2026 6:38 PM | 10.2.25.175 |
| Charlotte Dubois | EMP-1026 | EU Operations — Hamburg | DE | Attested | Apr 16, 2026 | May 9, 2026 | May 9, 2026 6:38 PM | 10.2.26.182 |
Roster shows first 25 of 92 attestations. Full roster: see policy detail page → Export audit bundle (CSV).
Review chain
Reviewer steps and their decisions for the current version of POL-2031. Restricted-category policies (e.g. Information Security, Privacy & Data Handling) require Legal + Security reviewer approvals in addition to SME before executive sign-off; this packet records the reviewer type, identity, decision, comment, and decision timestamp for each step. The Executive approval entry at the bottom records the executive_approver's final sign-off before publication.
| Order | Reviewer type | Reviewer | State | Decision | Comment | Decided at |
|---|---|---|---|---|---|---|
| 1 | Subject-matter expert | Aisha Patel | Approved | Approved | Substantive change confirmed. Device encryption requirement aligns with SOC 2 CC6.1. Approved. | Apr 18, 2026 6:38 PM |
| 2 | Compliance | Diego Ortega | Approved | Approved | Re-attestation flow confirmed. All 92 prior attestations correctly superseded. Approved. | Apr 19, 2026 6:38 PM |
| Executive approval | Hank Mendez (executive_approver) | Approved | Approved | Final sign-off before publication. | Apr 16, 2026 |
Auditor sign-off
This packet is exportable to PDF + CSV for delivery to SOC 2, ISO 27001, or SOX auditors. Sign and retain as evidence of policy publication, reviewer chain, and attestation coverage for POL-2031. Audit retention period: 7 years.