5.17 Supporting Security Policies with Procedures

Different organizations will have different goals for their acceptable use policies. Some organizations encourage employees to make wide personal use of the organization's IT assets to improve morale and reduce interruptions between the users, personal life, and work. Some organizations encourage users to use organizational assets to perform personal educational tasks as well. This way, the employee gets the benefit of the assets and the organization gets a higher trained and happier employee. Some organizations severely limit users personal use of IT assets in order to reduce risk within the organization. All security related policies should align with the organization's risk tolerance while ensuring that regulatory requirements are met. An organization that does not store confidential data on a laptop or workstation is likely to be more relaxed in their acceptable use policy. While a health care facility, research institution or defense contractor may be much stricter as they have data that can be potentially devastating if compromised.