Acceptable Usage Policy

Purpose

This policy establishes guidelines and requirements for the use of artificial intelligence (AI) tools and services within the organization to protect company data, ensure compliance, and maintain security standards.

Scope

This policy applies to all employees, contractors, and temporary workers who use or wish to use AI tools in connection with their work duties.

Policy Statement

1. All AI tools and services not created by Rygen must receive explicit approval before use in any work-related context.
2. Only those tools found in the Approved AI Tools list may be used at Rygen, and those tools must be used according to their safe usage constraints.
3. AI tools that cannot provide opt-out options for using data for training purposes are prohibited.
4. Employees must verify and enable data privacy settings before using any approved AI tool.
5. Sensitive company information, such as contact information and payment data, is prohibited from use with any AI tools.
6. Company confidential information and proprietary data may only be input into AI tools that have been specifically approved for handling such data and must be used in accordance with any additional security requirements or restrictions specified during the approval process.
7. Employees must not connect unauthorized third party AI systems directly to company databases, file systems, or any other information system owned by Rygen.
8. Employees must report any potential data breaches or security concerns related to AI tool usage immediately.

Requirements for AI Tool Approval

1. The tool must provide clear documentation of its data handling practices.
2. The tool must offer the ability to opt out of data collection for training purposes.
3. The tool must have enterprise-grade security features.
4. The tool must comply with relevant industry regulations and standards.
5. The vendor must provide clear terms of service and data processing agreements.

Prohibited Uses

1. Using unapproved AI tools for any work-related purpose.
2. Bypassing security settings or data privacy controls.
3. Sharing access credentials for AI tools.
4. Using unauthorized personal AI accounts for work purposes.
5. Uploading sensitive company data to AI tools without explicit authorization.
6. Connecting unapproved AI tools directly to company file systems or databases.

Compliance and Enforcement

1. IT Security will maintain a list of approved AI tools.
2. Regular audits will be conducted to ensure compliance.
3. Violations may result in disciplinary action.
4. All incidents involving unauthorized AI usage must be reported.

Approval Procedure

1. Employee submits AI Tool Request Form to IT Security.
2. IT Security reviews request and evaluates tool against security requirements.
3. Legal reviews terms of service and data processing agreements.
4. If approved, IT Security documents configuration requirements.
5. Employee receives training on proper tool usage.
6. IT Security enables and configures tool access.

See the AI Tool Approval Procedure for detailed approval steps.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Compliance with this policy shall be verified through various methods, including but not limited to automated reporting, audits, and feedback to the policy owner. Any staff member found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment or contractual agreement. The disciplinary action shall depend on the extent, intent, and repercussions of the specific violation.

Responsibilities

The IT Security Officer is responsible for approving and reviewing policy and related procedures. Supporting functions, departments, and staff members shall be responsible for implementing the relevant sections of the policy in their area of operation.

Review Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

Revision History