Domain 5 of 5 · Chapter 3 of 4

Security Policies

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • The policy catalog: one policy per scenario
  • Inside the policies that get confused
  • Change management: accountable and reversible
  • Exam-pattern recognition: matching the policy

Common security policies and what each governs

PolicyWhat it governsScenario it owns
Acceptable Use Policy (AUP)Permitted and prohibited use of company systemsAn employee misuses the corporate network or shares a password
Password policyCredential rules: length, complexity, reuse, rotationSetting minimum password length or how often it must change
BYOD policySecurity rules for employee-owned devices accessing company dataAn employee wants to read work email on a personal phone
Data Handling policyClassification, labeling, retention, and destruction of dataDeciding how long to keep records or how to destroy old media
Privacy policyCollection, use, sharing, and protection of personal informationHow customer personal data is gathered and safeguarded
Change Management policyDocument, approve, test, implement, rollback of changesAn admin needs to change a production server's configuration

Cheat sheet

  • A security policy states the rule; the exam asks which policy owns the scenario
  • An AUP governs conduct on company systems
  • A BYOD policy governs the personal device, not the user's conduct
  • AUP vs BYOD: behavior on company systems vs the personal device itself
  • A Password policy is where credential rules are recorded
  • A Data Handling policy covers classification, labeling, retention, and destruction
  • A legal hold overrides the retention schedule
  • A Privacy policy is the personal-information slice of data handling
  • A Change Management policy makes changes accountable and reversible
  • Change management runs document, approve, test, implement, rollback
  • Rollback is the step that returns the system to its last known-good state
  • Emergency changes are expedited but still recorded
  • A policy states intent; a standard and a procedure carry it out
  • The Change Advisory Board reviews and authorizes changes before they go live
  • An account lockout threshold blunts brute-force guessing, but set too low it invites denial of service
  • Modern password rules: salt-and-hash storage, check against breach lists, change only on compromise

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://csrc.nist.gov/glossary/term/information_security_policy
  2. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
  3. https://csrc.nist.gov/glossary/term/baseline_configuration