TPC-1 is the very first control in the SACS-002 standard, and for good reason: it establishes the governance foundation that every other control builds upon. Without a documented Acceptable Use Policy, your employees have no formal guidance on how to handle Aramco data, use company technology, or maintain security practices. Auditors check for the AUP early in the assessment because its absence signals a fundamental governance gap. This guide explains exactly what your AUP must contain, how employees must acknowledge it, and the common mistakes that cause vendors to fail this control.
What TPC-1 Requires
TPC-1 requires that the third party maintains a documented Cybersecurity Acceptable Use Policy governing the use of all technology assets. The policy must be communicated to all employees, and every employee must formally acknowledge they have read and understood it.
TPC-1: Third Party must maintain and enforce a documented Cybersecurity Acceptable Use Policy. The policy must be communicated to all employees, who must acknowledge their understanding and agreement in writing.
Auditors interpret TPC-1 as requiring three things: the policy document itself, evidence that it was distributed to all employees, and signed acknowledgments from every employee.
Required Sections in Your AUP
A compliant AUP must address every area where employee behavior intersects with cybersecurity. Auditors will check for the following sections:
1. Purpose and Scope
Define who the policy applies to (all employees, contractors, and temporary staff who access company technology or Aramco data) and what it covers (all company-owned and personal devices used for work, all networks, all software, and all data).
2. Authorized Use of Technology Assets
Specify what employees are and are not permitted to do with company technology: acceptable use of email, internet browsing, software installation, removable media, and cloud services. Explicitly prohibit personal use of business systems for Aramco-related work.
3. Password and Authentication Requirements
Reference the SACS-002 password requirements from TPC-2: minimum 8 characters with special characters, 12-password history, 90-day rotation, 10-attempt lockout, and 15-minute screen lock. Prohibit password sharing, writing passwords down, or storing passwords in unencrypted files. For more details, see our access control and MFA guide.
4. Data Handling and Classification
Define how employees must handle different categories of data, especially Aramco data. Prohibit sharing Aramco data via unauthorized channels (personal email, consumer file-sharing services, USB drives). Reference your Data Classification Policy. For details, see our Data Classification Policy guide.
5. Email and Communication
Mandate use of company email for all Aramco business communication. Prohibit use of personal email accounts (Gmail, Yahoo, etc.) for any Aramco-related correspondence. Reference TPC-8, TPC-9, and TPC-10 requirements.
6. Internet and Network Use
Define acceptable internet use, prohibited activities (accessing malicious sites, downloading unauthorized software, bypassing security controls), and VPN requirements for remote access. Reference your network security policies.
7. Physical Security
Cover clean desk policies, screen locking when unattended, securing laptops and mobile devices, and visitor access procedures. Address working from home or public spaces.
8. Incident Reporting
Require employees to immediately report suspected security incidents, lost or stolen devices, phishing attempts, and unauthorized access. Provide specific reporting channels (who to contact, how). Reference your Incident Response Plan and TPC-23 requirements.
9. Consequences of Violation
Clearly state the disciplinary consequences for violating the AUP, up to and including termination of employment. This section gives the policy enforcement teeth and demonstrates to auditors that the organization takes compliance seriously.
10. Policy Review and Updates
State that the AUP will be reviewed and updated at least annually, or whenever significant changes occur in the threat landscape or regulatory requirements. Document the review process and approval chain.
Employee Acknowledgment Requirements
Having the policy document is not enough. TPC-1 and TPC-7 together require that every employee formally acknowledges the AUP. Auditors will request acknowledgment records.
| Acknowledgment Element | What Auditors Check |
|---|---|
| Written acknowledgment | Each employee has signed (digitally or physically) that they read and understood the AUP |
| Timestamp | Date of acknowledgment recorded -- must be within the current policy version period |
| Complete coverage | 100% of employees have acknowledgments on file -- no gaps for new hires or missed employees |
| Annual renewal | Acknowledgments refreshed annually, not just at hire date. Auditors check dates. |
| Policy version tracking | Acknowledgments tied to the current version of the AUP, not an outdated version |
Common TPC-1 Audit Failures
- No AUP exists: The most basic failure. The vendor has never written an Acceptable Use Policy. There is nothing to show the auditor.
- Generic IT policy, not cybersecurity-focused: The vendor has an "IT Policy" that covers how to request a laptop but says nothing about password requirements, data handling, incident reporting, or acceptable use of technology. It does not satisfy TPC-1.
- Policy exists but no acknowledgments: The AUP was written and perhaps even distributed via email, but employees were never asked to formally acknowledge it. No signatures, no records.
- Incomplete acknowledgment coverage: The AUP was distributed and most employees signed it, but 5 employees hired in the last 6 months never received it. The auditor cross-references acknowledgment records with the employee roster.
- Stale policy: The AUP was written 3 years ago, references Windows 7, and has never been reviewed or updated. The "last reviewed" date is years old, and acknowledgments are from the original distribution only.
- Missing critical sections: The AUP covers internet use and email but says nothing about data classification, incident reporting, or password requirements. It is incomplete against SACS-002 requirements.
AUP Audit Evidence Checklist
| Evidence Item | What to Prepare |
|---|---|
| AUP document | Current version with version number, effective date, and last review date |
| Approval record | Evidence that management (CEO, CISO, or equivalent) approved the policy |
| Distribution record | Evidence that the AUP was distributed to all employees (email, LMS, intranet) |
| Acknowledgment log | Complete list: employee name, signature (digital or physical), date, policy version |
| New hire process | Evidence that AUP acknowledgment is part of the onboarding checklist |
| Annual review record | Meeting minutes or change log showing the AUP was reviewed within the last 12 months |
How MassiveGRID's Template Accelerates Compliance
Writing a compliant AUP from scratch requires understanding every SACS-002 control that has a policy dimension -- that is over a dozen TPC controls feeding into a single document. Most vendors either hire a consultant (expensive) or attempt to write it themselves (risky, with gaps the auditor will find).
MassiveGRID's CCC-Compliant Infrastructure Package includes a ready-made AUP template that:
- Covers all 10 required sections mapped to specific TPC controls
- Is pre-written in formal policy language accepted by authorized audit firms
- Includes placeholder fields for your company name, effective date, and approval signatures
- Comes with a digital acknowledgment workflow through the Security Awareness Training component
- Tracks acknowledgment completion with timestamped records for auditor review
- Is reviewed annually as part of the package maintenance
Customize the template with your company details, distribute it through the included LMS, collect digital acknowledgments, and your TPC-1 evidence is complete.
Get the AUP Template as Part of the Full CCC Package
The Acceptable Use Policy template is one of six governance templates included in the MassiveGRID Aramco CCC-Compliant Infrastructure Package, alongside the Incident Response Plan, Data Classification Policy, Risk Assessment Template, Off-boarding Checklist, and Media Sanitization Procedure. Combined with 10 infrastructure components and direct access to authorized audit firm partners, it provides the full path from zero to certified.