ERMITS ADVISORY SERVICES - ACCEPTABLE USE POLICY

Maintain Professional Conduct:

• Act with honesty, integrity, and professionalism
• Respect confidentiality and trust relationships
• Communicate respectfully and professionally
• Meet commitments and deadlines
• Escalate issues promptly and appropriately

Exercise Professional Judgment:

• Provide objective, unbiased advice and recommendations
• Base recommendations on factual analysis and industry standards
• Disclose conflicts of interest promptly
• Acknowledge limitations of expertise
• Recommend specialists when appropriate

Adhere to Industry Standards:

• Follow applicable professional codes of conduct
• Comply with industry best practices and standards
• Maintain professional certifications and continuing education
• Apply quality assurance processes

Provide Accurate Information:

• Provide truthful, accurate, and complete information
• Not misrepresent facts, circumstances, or security posture
• Correct inaccuracies promptly when discovered
• Disclose material changes affecting engagement

Respect Professional Boundaries:

• Not request illegal, unethical, or unprofessional services
• Not pressure consultants to violate professional standards
• Not request access to confidential information about other clients
• Not attempt to recruit or hire ERMITS consultants during engagement (non-solicitation)

Cooperate in Good Faith:

• Provide timely access to personnel, systems, and documentation
• Respond to requests for information promptly
• Participate in scheduled meetings and reviews
• Implement reasonable security measures for consultant access

Maintain Professional Independence:

• Provide objective recommendations without bias
• Disclose conflicts of interest
• Not accept gifts, kickbacks, or referral fees from vendors
• Not recommend specific vendors without transparent disclosure

Respect Client Confidentiality:

• Maintain strict confidentiality of Client Data and Confidential Information
• Use Confidential Information only for engagement purposes
• Not disclose engagement details to other clients or third parties
• Implement appropriate security measures

Deliver Quality Services:

• Perform services with appropriate expertise and care
• Meet professional standards and quality expectations
• Communicate proactively about issues, risks, and delays
• Stand behind recommendations with professional reasoning

Clients Shall Not:

• Share ERMITS proprietary methodologies, tools, or frameworks with third parties without consent
• Use ERMITS work product beyond scope of license granted
• Disclose engagement details in manner that reveals ERMITS confidential information
• Publicly criticize ERMITS or consultants in defamatory manner

ERMITS Consultants Shall Not:

• Disclose Client Data or Confidential Information to unauthorized parties
• Use Client Confidential Information for personal gain or other clients
• Discuss client engagement details with other clients or publicly
• Access Client Data beyond scope authorized in SOW
• Retain Client Data after engagement termination (except as permitted)
• Disclose client identity or engagement details without consent

Prohibited Misrepresentation:

Prohibited Misuse of Deliverables:

Clients Processing CUI/FCI Shall:

• Properly mark CUI/FCI per NIST SP 800-171 and 32 CFR Part 2002
• Provide ERMITS consultants with CUI/FCI handling training
• Implement appropriate safeguards and access controls
• Monitor and log consultant access to CUI/FCI
• Ensure consultants sign Non-Disclosure Agreements
• Report cyber incidents per DFARS 252.204-7012 requirements

ERMITS Consultants Handling CUI/FCI Shall:

• Complete CUI/FCI handling training
• Access CUI/FCI only on client-approved systems
• Not transmit CUI/FCI outside authorized systems
• Not store CUI/FCI on personal devices or ERMITS infrastructure
• Report suspected security incidents immediately
• Comply with all client CUI/FCI handling procedures

Prohibited CUI/FCI Activities:

Clients Subject to HIPAA Shall:

• Execute Business Associate Agreement (BAA) before PHI disclosure
• Provide minimum necessary PHI for engagement purposes
• Train ERMITS consultants on HIPAA requirements
• Monitor consultant access to PHI
• Report breaches involving PHI per HIPAA Breach Notification Rule

ERMITS Consultants Handling PHI Shall:

• Access PHI only as necessary for engagement deliverables
• Apply minimum necessary standard
• Not access PHI for personal purposes
• Not disclose PHI to unauthorized parties
• Use de-identified data when possible
• Report suspected breaches within 24 hours to client

Prohibited PHI Activities:

ERMITS Policy:

• ERMITS Advisory Services do not involve classified information
• Consultants do not have security clearances (unless specifically disclosed)
• Clients may not disclose classified information to ERMITS consultants
• Engagements involving classified information require special arrangements

If Classified Information Inadvertently Disclosed:

• Consultant shall immediately cease accessing and notify ERMITS management
• ERMITS will notify client security officer
• Appropriate safeguarding and reporting procedures followed

Permitted Activities:

• Access systems and data within scope defined in SOW
• Review configurations, logs, and documentation as authorized
• Conduct assessments using approved tools and methodologies
• Document findings for inclusion in deliverables

Prohibited Activities:

Acceptable Use:

• Use ERMITS-provided devices and accounts for client work
• Use approved collaboration and file sharing platforms
• Implement security controls (encryption, MFA, strong passwords)
• Report security incidents or suspicious activity

Prohibited Use:

Required Practices:

• Use encrypted email for sensitive communications (TLS minimum, S/MIME preferred)
• Use secure file transfer platforms for document exchange
• Use client-approved collaboration tools
• Conduct video calls in private locations
• Avoid discussing confidential information in public

Prohibited Practices:

Clients Shall Not:

• Use ERMITS methodologies, frameworks, or tools beyond engagement scope
• Reverse engineer ERMITS proprietary tools
• Share ERMITS intellectual property with competitors
• Commercialize or resell ERMITS deliverables or methodologies
• Remove ERMITS attribution from deliverables

Permitted Use:

• Use deliverables for internal business purposes
• Share deliverables with regulators, auditors, and advisors as necessary
• Implement recommendations and methodologies within your organization
• Reference ERMITS publicly with consent (testimonials, case studies)

Client Reporting:

If you become aware of violations by ERMITS consultants:

• Contact engagement project manager immediately
• Email: advisory@ermits.com (Subject: "AUP Violation Report")
• For serious violations: legal@ermits.com
• Include: Detailed description, evidence, date/time, personnel involved

ERMITS Consultant Reporting:

If you become aware of violations by clients or client personnel:

• Report to ERMITS management immediately
• Email: advisory@ermits.com (Subject: "Client AUP Violation")
• For security incidents: security@ermits.com
• For legal/ethical concerns: legal@ermits.com

Protections:

• No retaliation against good faith reporters
• Confidential handling of reports
• Prompt investigation of allegations
• Protection of reporter identity (to extent possible)

Reporting Obligations:

• Consultants must report violations of professional standards
• Clients should report consultant misconduct or unprofessional behavior
• All parties must report security incidents affecting confidential information

ERMITS Investigation (for consultant violations):

• Prompt investigation by management
• Review account activity and usage patterns
• Examine audit logs and system logs (pseudonymized)
• Interview involved parties and witnesses
• Request information from the user
• Review evidence and documentation
• Determine facts and violation severity
• Notify client of findings (as appropriate)
• Cooperate with law enforcement or regulatory authorities

Client Investigation (for client personnel violations):

• Client responsible for investigating own personnel
• ERMITS may suspend services pending investigation
• ERMITS cooperates with reasonable investigation requests

Warning and Remediation:

• Written warning and corrective action plan
• Additional training or supervision
• Removal from specific engagement

Suspension:

• Temporary suspension from client engagements
• Remediation and retraining required
• Reinstatement upon completion

Termination:

• Immediate termination of employment
• Removal from all client engagements
• Notification to client (as appropriate)
• Report to professional organizations (if applicable)

Legal Action:

• Pursuit of damages for breach of confidentiality
• Injunctive relief to prevent ongoing violations
• Criminal referral (if illegal activity)

Warning:

• Email notification of violation
• Request for corrective action
• Monitoring of future compliance

Temporary Suspension:

• Immediate suspension of account access
• Opportunity to respond and remediate
• Reinstatement upon resolution

Termination of Engagement:

• Immediate and permanent account closure
• Immediate termination for material breach
• Client remains obligated to pay for services performed
• No refund of fees paid
• ERMITS may decline future engagements
• Ban from future use of Services

Legal Action:

• Enforcement of confidentiality and intellectual property rights
• Pursuit of damages for breach of contract
• Injunctive relief to prevent misuse of confidential information
• Pursuit of damages for harm caused
• Cooperation with law enforcement investigations

Permitted:

• Rapid access to systems and data as needed for containment and investigation
• After-hours and emergency access
• Expedited communication and decision-making
• Deviation from normal documentation procedures (documented post-incident)

Prohibited:

Required:

• Explicit written authorization before testing
• Clear scope definition (systems, timeframes, methods)
• Rules of engagement documented and approved
• Client notification procedures for critical findings
• Immediate cease upon client request

Prohibited:

Special Confidentiality:

• Enhanced confidentiality for sensitive transaction information
• Chinese Wall procedures if representing multiple parties
• Secure disposal of due diligence materials post-transaction
• Non-disclosure of transaction details even after engagement

Prohibited:

Legal Requests:

ERMITS will cooperate with lawful requests from:

• Law enforcement agencies
• Regulatory authorities
• Court orders and subpoenas
• National security investigations

User Notification:

When legally permitted, ERMITS will:

• Notify affected users of legal requests
• Provide reasonable time to challenge requests
• Disclose only information required by law

Emergency Situations:

In emergencies involving imminent threat to life or serious bodily harm:

• ERMITS may disclose information without prior notice
• Users will be notified after emergency resolution
• Disclosure limited to minimum necessary

Material Changes:

• 30 days' advance notice to active clients
• Notification via email or engagement communication
• Opportunity to discuss concerns
• Continued engagement constitutes acceptance

Non-Material Changes:

• Update "Last Updated" date
• Effective immediately upon posting
• Notice in next scheduled client communication