IT acceptable use. State: Attestation open. Owner: Marcus Sterling.
# Acceptable Use Policy ## 1. Purpose This Acceptable Use Policy (AUP) defines the acceptable use of Northstar Logistics Holdings information systems, networks, and information resources by all employees, contractors, and temporary staff. It supports the company's commitment to information security, regulatory compliance (SOC 2 Type II, ISO 27001:2022), and operational integrity across our distribution network in Dallas, Long Beach, Newark, Rotterdam, and Hamburg. ## 2. Scope This policy applies to all Northstar employees, contractors, vendors with system access, all company-issued laptops, mobile devices, vehicle telematics terminals, all software and cloud services (Microsoft 365, Salesforce, our internal WMS), and personal devices used to access Northstar information (BYOD). ## 3. Acceptable use Authorized users may access information systems for legitimate business purposes, communicate with customers, partners, and colleagues via approved channels, install software from the corporate software catalog, and connect to corporate networks via approved VPN. ## 4. Prohibited use The following activities are strictly prohibited: unauthorized access to systems, data, or accounts; sharing of credentials or multi-factor authentication tokens; storage of customer PII on personal devices; use of consumer cloud storage (personal Dropbox, Google Drive) for company data; installation of unapproved software, browser extensions, or VPN tools. ## 5. Device encryption (SUBSTANTIVE CHANGE — added in v3) All endpoint devices accessing Northstar information must have full-disk encryption enabled (FileVault on macOS, BitLocker on Windows). Mobile devices must use device-level encryption with a passcode of at least 6 digits or a strong biometric. Loss or theft of an unencrypted device storing company data must be reported within 1 hour to security@northstarlogistics.com. This is a substantive change from v2 and triggers re-attestation for all assigned employees. ## 6. Enforcement Violations may result in disciplinary action up to and including termination of employment, contractor agreement, or vendor relationship. Repeated or severe violations may be reported to law enforcement. ## 7. Review cadence This policy is reviewed annually by Information Security, with substantive updates triggering an immediate re-attestation cycle. ## 8. Approver chain Author: Marcus Sterling · SME reviewer: Aisha Patel · Compliance reviewer: Diego Ortega · Executive approver: Hank Mendez.
| Order | Reviewer type | Reviewer | State | Decision | Comment |
|---|---|---|---|---|---|
| 1 | Subject-matter expert | Aisha Patel | Approved | Approved | Substantive change confirmed. Device encryption requirement aligns with SOC 2 CC6.1. Approved. |
| 2 | Compliance | Diego Ortega | Approved | Approved | Re-attestation flow confirmed. All 92 prior attestations correctly superseded. Approved. |
| Version | State | Author | Published | Substantive | Retired |
|---|---|---|---|---|---|
| v3 | Attestation open | Marcus Sterling | Apr 16, 2026 | Substantive | — |
| v2 | Retired | Marcus Sterling | Mar 17, 2026 | Cosmetic | Mar 17, 2026 |
| v1 | Retired | Marcus Sterling | Feb 15, 2026 | Cosmetic | Feb 15, 2026 |
| Employee | State | Assigned | Due | Attested at | IP |
|---|---|---|---|---|---|
| Diego Ortega (EMP-1001) | Overdue | Apr 16, 2026 | May 9, 2026 | — | - |
| Janet Liu (EMP-1002) | Attested | Apr 16, 2026 | May 9, 2026 | May 13, 2026 6:38 PM | 10.0.2.14 |
| Carlos Mendez (EMP-1003) | Attested | Apr 16, 2026 | May 9, 2026 | May 12, 2026 6:38 PM | 10.0.3.21 |
| Priya Shah (EMP-1004) | Attested | Apr 16, 2026 | May 9, 2026 | May 11, 2026 6:38 PM | 10.0.4.28 |
| Ahmed Rahimi (EMP-1005) | Attested | Apr 16, 2026 | May 9, 2026 | May 10, 2026 6:38 PM | 10.0.5.35 |
| Olivia Becker (EMP-1006) | Attested | Apr 16, 2026 | May 9, 2026 | May 9, 2026 6:38 PM | 10.0.6.42 |
| David Chen (EMP-1007) | Attested | Apr 16, 2026 | May 9, 2026 | May 8, 2026 6:38 PM | 10.0.7.49 |
| Ruby Williams (EMP-1008) | Attested | Apr 16, 2026 | May 9, 2026 | May 7, 2026 6:38 PM | 10.0.8.56 |
| Mateo Silva (EMP-1009) | Attested | Apr 16, 2026 | May 9, 2026 | May 6, 2026 6:38 PM | 10.0.9.63 |
| Anna Kowalski (EMP-1010) | Attested | Apr 16, 2026 | May 9, 2026 | May 5, 2026 6:38 PM | 10.1.10.70 |
| Liam O'Brien (EMP-1011) | Attested | Apr 16, 2026 | May 9, 2026 | May 4, 2026 6:38 PM | 10.1.11.77 |
| Sarah Beck (EMP-1000) | Attested | Apr 16, 2026 | May 9, 2026 | May 15, 2026 6:38 PM | 10.0.0.0 |
New device encryption obligation introduced in v3. AI substantive-change detector flagged this on save. Triggered re-attestation of all 92 prior attestations.