CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)       9  5.4  Policy and Procedures            9  5.4.1  Security Policy

5.4.1  Security Policy 1 5.4.1.2  Due Care

There is no single template that applies to all for Acceptable Use Policy. The Electronic Freedom Foundation has a large repository that serves as a guideline by individual industries⁴³⁰, as noted in the general FAQ from the site.

General guidelines include:

As much as possible use existing legislation and law enforcement mechanisms rather than creating your own.

• Cite statutes or ordinances based upon which the authority to make this policy is based.
  
  
• Make policies reasonable and narrow.
  
  
• Have legal counsel check policy.
  
  
• “Common sense, reason and sensitivity should be used to resolve issues in a constructive and positive manner without escalation.”
  
  
• Train staff. Include empathy training.
  
  
• Consider any policy that the limits access carefully.
  
  
• Provide a clear description of the behavior that is prohibited so that a reasonably intelligent person will have fair warning.

Policies should be clear on a number of specific topics. Examples include:

• Responsibility of users to protect the data they are using.
  
  
• Modifying database entries.
  
  
• Providing passwords or sharing user accounts with other workers.
  
  
• Copying software.
  
  
• Installing software or hardware.
  
  
• Policies regarding email and web access.
  
  
• Password requirements including how often they must be changed.
  
  
• Remote access capabilities.
  
  
• Auditing of computer accounts.

5.4.1  Security Policy 1 5.4.1.2  Due Care