(ISC)2 Certified in Cybersecurity Practice Exam

Which policy defines acceptable behavior regarding the use of an organization's resources?

• A. Organizational security policy
• B. Acceptable use policy (AUP)
• C. Data protection policy
• D. Information governance policy

The correct answer is: Acceptable use policy (AUP)

The acceptable use policy (AUP) is specifically designed to outline and define acceptable behavior concerning the use of an organization's resources, including hardware, software, and internet access. This policy sets the parameters for what users can and cannot do with the organization's tools and data, helping to ensure that resources are used in a manner that is safe, secure, and aligned with the organization's goals. The AUP typically includes guidelines about user responsibilities, consequences of misuse, and may also touch on areas such as privacy, data protection, and cybersecurity practices. By educating users on these parameters, the AUP serves not only to protect the organization's resources but also to foster a culture of compliance and responsibility among employees. The organizational security policy encompasses broader security measures for the entire organization and may not delve into specific user behaviors regarding resource utilization in the same detail as an AUP. The data protection policy focuses primarily on how to handle sensitive information, including compliance with regulations, rather than general resource use. Information governance policy is concerned with the management of information throughout its lifecycle, including how it is created, used, and disposed of, but does not specifically cover acceptable behavior for using resources. Therefore, the AUP is the most relevant policy for defining acceptable behaviors around the use of organizational