CHAPTER 4Acceptable Use and General Cybersecurity Policies
Chapter 4 will cover acceptable use and general cybersecurity policies. It is the first of three chapters dedicated to the policies every organization should have as part of their cybersecurity defense. Many general best practice security recommendations will be covered.
Acceptable Use Policy (AUP)
Every organization should have an acceptable use policy (AUP) that should be reviewed, acknowledged, and signed by every employee when they are hired and annually thereafter. An AUP is a general IT policy document that educates users and other third parties (e.g., contractors, vendors, etc.), who may use the organization's IT resources or handle its protected data, about what is and is not allowed regarding the organization's IT devices, networks, services, and data, including personal responsibilities. It restricts the allowed actions that can be performed on the organization's devices and networks and defines many disallowed actions.
For example, an AUP will usually explain that the organization's electronic resources, including its computers, phones, and network, are provided for business purposes. An AUP may state that some personal use of work assets is allowed but should be minimal. An AUP often states that the assets cannot be used to personally enrich the covered person beyond the scope ...