An acceptable use policy (AUP) defines how employees may use the IT infrastructure supplied by an organization. In general, an acceptable use policy specifies whether employees may use organization resources such as networks, Internet connections, and email accounts for personal use. It may also define whether employees may download files from the Internet, forward humorous or chain letters via email, or engage in sending spam. An acceptable use policy generally forbids any activity that is prohibited by federal, state, or local laws or that violates regulatory compliance. Common elements in an acceptable use policy are:

• Keep all passwords secure and do not share accounts.
• All workstations and laptops must be secured with a password-protected screensaver.
• Use of organizational communications resources, including email, telephone, Internet, and interoffice mail, shall be limited to business purposes only. Personal use is strictly prohibited.
• Sending unsolicited junk email or advertisements is prohibited.
• Any form of harassment, including email and telephone messages, is prohibited.
• Creating or forwarding chain letters, pyramid schemes, or other similar messages is prohibited.
• Circumventing the security of any network or host owned by the organization is prohibited.

Most acceptable use policies go into more depth; however, these are some common items found in every acceptable use policy.

A security awareness policy specifies what individual employees are responsible for in terms of information security. It also defines the responsibilities of managers and information owners. Because security is an ever-changing field, many security awareness policies do not lay out specific procedures, but rather, refer employees to another resource for up-to-date information, such as a page on the organization’s Intranet.

In general, employees must agree to read and follow security procedures. Managers are responsible for providing training and security resources for those under their supervision, and information owners are responsible for classifying their information and taking appropriate steps to safeguard it. Some common elements in a security awareness policy include:

• The organization will provide ongoing training and resources on information security.
• Information owners will classify the information according to its sensitivity and take reasonable precautions to safeguard the information.
• Employees should understand common security threats and maintain a sense of vigilance, especially with regard to social engineering attacks.
• Employees should immediately report any suspicious activity to their manager.

Many security awareness policies also include references to other documents, both internal policies and external resources, to which employees can refer if they are unsure of whether a given situation constitutes a security threat.