# Acceptable Use Policy (AUP) One-sentence definition: A mandatory policy describing permitted and prohibited behaviors when using organizational assets. ## Key Facts - Covers devices, networks, data, email, internet, social media. - Includes privacy expectations and monitoring notices. - Defines consequences for violations and reporting obligations. - Must be acknowledged by users (attestation records). - Periodic review; aligns with HR and legal guidance. - Role-based variants for admins, contractors, students, etc. - **Label:** **Mandatory** behavior control underpinning many controls. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify missing AUP elements in scenarios; ensure enforceability. **Mnemonic:** “What you can/can’t do.” ## Mini Scenario Q: Employee installs personal P2P apps—what policy applies? A: AUP (with specific prohibited software clause). ## Revision Checklist - Name 4 topics an AUP must cover. - Explain why attestation matters. - Map AUP to disciplinary/enforcement process. ## Related [[Security Policy Hierarchy]] · [[Security Culture and Awareness]] · [[Compliance and Regulatory Concepts]] · [[Security Roles and Responsibilities]] · [[Control Types and Categories]] · [[Domain 1 - Index]]