LEAP -- Acceptable Use Policy
| Document Number |
POL-GL-COM-AUP-1.0 |
| Target audience |
LEAP-All |
| Effective Date |
|
Cover page layout
Contents
- 1. Purpose
- 2. Scope
- 3. Definitions
- 4. Roles and Responsibilities
- 5. General Security Principles
- 5.1. Ethical Conduct
- 5.2. Legal Conduct
- 6. Users' Responsibilities
- 6.1. Business Assets
- 6.2. Use Electronic Email
- 6.3. Use of Computer systems and Networks
- 6.4. User of Mobile Devices
- 6.5. User of Physical Access cards
- 6.6. Voicemail Etiquette
- 7. User Identification and Password Protection
- 7.1. Password Naming
- 7.2. Password Responsibility
- 8. Remote Access to LEAP Networks
- 9. Client Data Access
- 10. Use of Password Vault
- 11. Internet Use
- 12. Use of Artificial Intelligence (AI) and Generative AI Tools
- 12.1. Acceptable AI Use
- 12.2. Prohibited AI Use
- 12.3. Data Protection and Confidentiality
- 13. Virus and Malicious Software
- 14. Clear Desk and Clear Screen Policy
- 15. Transfer of Sensitive Data Using E-Mail, Social Media/Networking or Instant Messaging
- 16. Right to audit
- 17. Security Incident Reporting
- 18. BYOD Policy
- 19. Related documents
- 20. Policy Exceptions
- 21. Policy Enforcement
- 22. Policy Monitoring
- 23. Awareness & Communication
- 24. Version History
Purpose
The purpose of this document is to raise staff awareness and define clear rules for the use of the information and information system assets of LEAP.
This policy institutes the baselines principles for implementing, maintaining, and continually improving the Information Security Management System throughout LEAP. The objectives of this Policy are to provide users with details on the commonly accepted goals of Information Security Management.
Scope
The policy applies to all Legal Software Holdings Pty Ltd employees, consultants, contractors and wholly owned subsidiaries "LEAP". This includes:
- On‑premises and remote access
- Cloud and SaaS services
- LEAP‑issued and approved personal devices (BYOD)
- Artificial intelligence and automation tools
Definitions
| Term |
Definition |
| Confidentiality |
Access to data shall be confined to those with the appropriate authority |
| Availability |
Information shall be available and delivered to the right person, at the right time |
| Integrity |
Accuracy & completeness of the information. All systems, assets, and networks shall operate correctly, according to specification |
| Information Asset |
Information is defined as anything having business value. Examples of information are customer information (such as name, contact details, phone number, etc.), employee information, financial, operational, communication information and intellectual property. |
| Information Security |
Preservation of confidentiality, integrity, and availability of information |
Table 1: Key Definitions
Roles and Responsibilities
It is the responsibility of all users within the organisation to ensure the protection of all kinds of information and related infrastructure assets. This includes the protection of Confidentiality, Integrity, Availability and privacy, as it relates to their areas of operations.
General Security Principles
The following security and compliance principles have been established to ensure information and information assets are appropriately managed in lines LEAP Information Security Policy.
- All users are responsible for Information Security and the appropriate use of Information Technology in a responsible manner.
- Under no conditions, an employee of LEAP is authorised to engage in an activity that is illegal under local, state, country or international law while utilising LEAP services.
- Employees are forbidden to disclose LEAP's business-critical issues with anyone outside of the organisation without due authorisation.
- LEAP reserves the right to monitor all employees' use of its computer and Information Technology resources. Any such monitoring is conducted in accordance with any relevant legal and compliance requirements.
Ethical Conduct
Staff must observe the ethical standard of conduct. Unethical activities may include, but not limited to:
- Unauthorised modification, performance degradation of LEAP information systems and networks.
- Gaining elevated privileges to gain access to LEAP facilities or information systems without authorisation.
- Unauthorised disclosure and sharing of LEAP business-sensitive information.
Legal Conduct
LEAP information and information systems must be used for lawful purposes, to comply with Federal, State, and international legislation. Illegal activities may include, but not limited to:
- Information or information system theft.
- Loading pirated software and programs on LEAP information system devices.
- Breaching software license copyright by copying or re-distributing copyright software or program.
- Intentional damage to LEAP facilities.
- Creating, possessing or distribution of offensive material.
Users' Responsibilities
Business Assets
All desktops, mobile devices, laptops and any other related business equipment, must adhere to the following items set to ensure the security of LEAP and its customers.
- Each workstation or personal computer will run the operating system that is the current approved standard operating system with the latest service pack and security patches as approved by team IT Operations.
- IT Operations maintains a software portal which is the sole repository of permissible applications and software, any deviation from those applications needs to be reviewed / approved by IT Operations.
- All installed software must be approved by team IT Operations and properly licensed.
- Information should be appropriately protected against loss or compromise when working remotely (for example at home or in public places).
Use Electronic Email
LEAP provides access to its e-mail system for all employees. M365 accounts and passwords will be provided to the employee during the employee integration process and will be immediately deactivated during the employee termination process.
- Employees must treat electronic mail messages and files as company confidential information.
- All electronic communication generated, received or handled by LEAP's electronic messaging systems are considered the property of LEAP.
- Email systems must employ dedicated personal accounts and passwords to isolate the communications of different users.
- All attachments will be scanned for malware. If any are found, the attachment will be blocked.
- LEAP email messages are stored in backups; electronic communications may be retrievable after deletion from a user's mailbox.
- Blanket forwarding of email messages to personal accounts is prohibited.
- Electronic messages that constitute business records must be retained like other business records.
- When employees receive unwanted or SPAM emails, they must refrain from responding directly to the sender.
- LEAP's email system is intended for business purposes. All messages sent by email systems are LEAP records. LEAP reserves the right to access and disclose all messages sent over its electronic mail system, for any purpose.
Use of Computer systems and Networks
It is the responsibility of the users to ensure authentication measures, or the security of any host, network or account is not evaded at any time.
- Security access controls that have been put in place preventing access to information must not be circumvented. If a user is unable to access the required information to perform his job, then they must obtain approval using the correct procedure.
- Cryptographic keys are used as an additional layer of authentication to access sensitive applications. It is mandatory to always possess the issued cryptographic key.
- Scanning the network with the purpose of exploiting the weakness is strictly prohibited.
- Users are prohibited from interfering with service to any user, host or network.
- Users are required to take special caution while outside the office network. While connecting to any public hotspot/wireless connection, ensure that the connection is secure (https://).
User of Mobile Devices
Users must protect LEAP provided/owned portable equipment such as notebooks, laptops, mobile devices from theft.
- When away from the office (such as when in vehicles or at other locations) notebooks, laptops and mobile devices must be stored in a secure position.
- Mobile devices must be secured when left unattended in LEAP or customer offices.
User of Physical Access cards
- Physical access control cards are issued to users to gain access to LEAP office locations. It is mandatory to carry and display physical access cards at all times.
- In case the access card is lost report immediately to the Department of Human Resource/P&Ct.
Voicemail Etiquette
- Keep your greetings up to date.
- Let callers know when then can anticipate a response.
- Share your full name and company affiliation.
- Share the intent of your message.
- Include your contact details at the beginning and end of the message.
- Share your availability.
User Identification and Password Protection
Password Naming
User Identification (userid) and Passwords are the keys to access your information. The following guidelines are recommended to protect you and the organisation against any breach related to identity disclosure:
- Passwords shall be a minimum of 8 characters long and shall contain alphanumeric characters with special characters.
- Avoid using known names such as company name, date of birth, kids name and pets name as others easily guess them for unauthorized access.
Password good example: J0hn@2590!
Password bad example: john1234
Strong passwords have the following characteristics:
- Contain both UPPER and lower case letters.
- Contain both alpha and numeric characters as well as having punctuation characters, e.g. 0-9, !@#$%^&*()_+~`, etc..
- Are at least eight characters long.
- By making passwords complex you are making it difficult to be compromised.
Password Responsibility
Users are responsible for the security of their passwords and accounts. The password should be changed as per the password management policy and whenever there is any indication of possible system or password compromise.
- Do not write down your password.
- Do not reveal your passwords to support people, managers or supervisors.
- Do not use the same password for business and personal access accounts.
- Do not share passwords with friends and family members.
- Vendor installed accounts must have their passwords changed immediately upon install from their vendor defaults. The password must follow the guidelines listed above.
- All LEAP employees are required to protect their account and password credentials. The only storage mechanism that is authorised by LEAP to store credentials is the Password Vault.
- Proper practice is to immediately perform a password change and notify Team Cyber Security when any suspicious activity occurs that leads the employee to believe that their password has been compromised.
Remote Access to LEAP Networks
- All connections to client networks must be made through LEAP approved equipment.
- All LEAP security policies contained in this document will be followed when connecting to client networks or equipment.
- All client-provided policies must be adhered to when connecting to client networks or equipment.
- All LEAP personnel must review and adhere to any client-supplied security policies when accessing any client equipment.
Client Data Access
- At no time will LEAP personnel access and store customer data on internal LEAP equipment.
- At no time will LEAP personnel access or display ANY client data without prior approval from the client.
- If LEAP personnel are asked to perform application tuning and/or application program creation where it is required to access client data, the designated test environment should be utilised.
- Common sense should be used when processing client data requests. These requests for data are extremely rare and should be closely evaluated. LEAP personnel who feel uncomfortable providing data to customer personnel for any reason are asked to escalate the request to their immediate supervisor.
Use of Password Vault
- Every time you are connecting to a production session you must access the password vault for the customer's login credentials prior to accessing the customer's environment.
- At no time should you maintain an open connection to the customer's environment for more than 8 hours, unless you are actively working on a long-running job, or addressing a critical ticket.
- Individual login credentials must be kept private to the respective LEAP employee.
- It is mandatory to only utilise the password vaults that are approved by Cyber Security, the approved personal vaults are located on the Self-Service Portal. Any other application utilised are prohibited.
Internet Use
Each LEAP employee has an individual user account that can be used to access LEAP information and networks globally. Individual Internet activity should not interfere with other user's Internet activity.
- Internet access is made available based on business requirements.
- Internet use may not include viewing, downloading illegal or offensive material.
- The software of any kind must not be downloaded unless explicitly approved.
- Visiting websites that are not official is strictly prohibited
- MS Teams and ZOOM are used as official messengers for office voice communications.
- SLACK is the chat communication messenger.
LEAP does not own the responsibility for the data and content viewed, downloaded, delivered or received by users over the Internet. LEAP employees are responsible for any material that they access and disseminate through the use of the official Internet.
Use of Artificial Intelligence (AI) and Generative AI Tools
Artificial Intelligence (AI), including generative AI technologies, may present productivity benefits to LEAP; however, their use introduces risks relating to confidentiality, privacy, intellectual property, bias, accuracy, and regulatory compliance.
Acceptable AI Use
The use of AI tools is permitted only where:
- The use supports legitimate business purposes.
- The AI tool has been explicitly approved by LEAP or accessed through LEAP‑approved platforms.
- Outputs generated by AI are reviewed, validated, and approved by a human prior to use, decision‑making, or external dissemination.
- The use of AI complies with all applicable LEAP policies, contractual obligations, and legal or regulatory requirements.
Users remain fully accountable for all outcomes resulting from AI‑assisted activity.
Prohibited AI Use
The following activities are strictly prohibited:
- Entering, uploading, or disclosing confidential LEAP information, client information, personal data, or privileged material into any AI tool unless explicitly approved in writing.
- Using publicly available or unapproved AI tools where prompts, inputs, or outputs may be stored, logged, or used for training purposes.
- Using AI tools to generate legal advice, client advice, contractual language, system configurations, or operational decisions without appropriate human review and approval.
- Using AI tools to bypass security controls, authentication mechanisms, licensing controls, or monitoring safeguards.
- Representing AI‑generated outputs as authoritative, original, or human‑produced work without appropriate disclosure where required.
- Using AI tools in a manner that could mislead clients, customers, or internal stakeholders.
Data Protection and Confidentiality
- All information entered into, generated by, or derived from AI tools is subject to LEAP's Information Security Policy and data classification requirements.
- AI‑generated content that includes or references LEAP or client information shall be treated as a LEAP information asset.
- AI tools must not be used to process or store regulated, classified, or sensitive data unless explicitly authorised and risk‑assessed.
Virus and Malicious Software
LEAP has implemented reasonable practices to secure information systems and networks from malware; it is possible that the users inadvertently introduce malware on LEAP networks through the internet.
Specific action should be taken while accessing LEAP information systems, but not limited to:
- Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, malware, spyware, or Trojan horse code.
- Downloading unauthorised software.
- Browsing website which may not be trustworthy.
Clear Desk and Clear Screen Policy
A clear desk/clear screen practice reduces the risks of unauthorized access, loss and damage to information. To reduce the risk the users should ensure:
- All personnel are required to ensure that paper documents, other sensitive information assets are kept in lock and key when no longer in use.
- All personnel are required to lock their screen when no longer working in their PC/notebook.
- Documents containing sensitive or classified information must be removed from printers immediately.
- All computers will be password protected. The password protection must be enabled with a 5-minute time limit.
Transfer of Sensitive Data Using E-Mail, Social Media/Networking or Instant Messaging
- The transfer of any sensitive LEAP and customer data (accounts, passwords, log-in instructions, etc.) using E-mail, social media/Networking or Instant Messaging Systems is strictly prohibited. The only approved method of transferring sensitive information is by direct phone contacts or "face to face" communications.
Right to audit
- All Company information and information systems are owned by LEAP and LEAP has the right to audit any part of the infrastructure at any point in time, without employee notice.
Security Incident Reporting
A security weakness /incident may be a result of a compromise to Confidentiality, Integrity, and availability, Non-repudiation and/or Legal or Contractual Non-conformity. The impact of any security incident may result in serious consequences to the business and therefore adherence to this policy is to avoid any such serious incident.
- Employees should be well aware of Incident reporting procedures and understand areas, which may or may not be reported.
- Employees must promptly report all information security alerts, warnings, suspected vulnerabilities, weaknesses, to Infosec@Leapdev.io
- Users should not be found any exploiting any identified weakness.
BYOD Policy
Employees may use their mobile and laptop device to access the following company-owned resources, email, calendars, contacts, and documents.
- To prevent unauthorised access, devices must be password protected using the features of the device and a strong password is required, per company guidelines, to access the company network.
- The employee's device will be remotely wiped if 1) the device is lost, 2) the employee terminates his or her employment, 3) IT detects a data or policy breach, a virus or similar threat to the security of the company's data and technology infrastructure.
- Users must not load pirated software or illegal content onto their devices.
- If you are granted permission to BYOD over the corporate VPN, it will be mandatory to notify IT Operations to install appropriate tool sets before connecting to the VPN. At LEAP's discretion your device maybe updated without notice and/or isolated if there are any security threats to protect network and system environments.
- Users must be cautious about the merging of personal and work email accounts on their devices.
- Before officially granting access for device to be utilised there will need to be a review to make sure all utilities are installed and reporting no errors.
- Please be aware, the BYOD will track connectivity, may be updated unexpectedly, isolated from network until a security review has been completed.
- They must take particular care to ensure that company data is only sent through the corporate email system.
- Employees must ensure the latest virus and patch definitions are always up to date.
Related documents
- LEAP Information Security Policy
- LEAP Security Incident Management Procedure
- LEAP Data Classification Policy
- LEAP Artificial Intelligence and Generative AI Policy
Policy Exceptions
Exceptions in this policy will be risk-assessed by the CISO with valid business justification and Policy Owner's approval. Exceptions will be time bound.
Policy Enforcement
Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to P&C disciplinary action, up to and including termination of employment.
Policy Monitoring
Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.
Awareness & Communication
This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).
Version History
| Version Number |
Date |
Section Changes |
Author |
Approver |
| 1.0 |
<<enter date>> |
Initial Release |
<<Title>> |
<<Title>> |