10. Supporting Security Policies with Procedures

Acceptable Use Policies

Different organizations have different goals for their acceptable use policies.

• Some organizations allow wide personal use of the organization’s IT assets to improve morale and reduce interruptions between personal life and work.
• Some organizations allow employees to use organizational assets for personal educational tasks.
• This can benefit:
  • Employees by giving them access to the assets
  • Organizations by having better trained and happier employees
• Some organizations strictly limit personal use of IT assets.

Risk and Policy Alignment

• All security-related policies should align with the organization’s risk tolerance (level of risk the organization is willing to accept).
• Policies must also ensure that regulatory requirements are met.

Policy Strictness

• An organization that does not store confidential data on a laptop or workstation may have a more relaxed acceptable use policy.
• A health care facility, research institution, or defense contractor may have a much stricter policy because their data could be devastating if compromised.