Users and their Managers


Users are required to support the business function in their job role which will vary from organization to organization. Users and/or their managers will need to know the policies listed here.

Skills Required

Defined by the organization depending upon job roles.

Policies Affecting Users and/or their Managers

Must Take Specific action

  • Acceptable Use Policy - Users must understand what is acceptable use or unacceptable use of IT resources provided to them. They must comply with this policy.
  • Account Management Policy - Users must understand how to get accounts created that they require for access. They must understand the process and know how to get account changes made when their role changes.
  • Employee Termination Policy - Users should understand the employee termination process and follow it when they end their relationship with the organization. They may need to turn in access devices and other property.
  • Employee Background Screening Policy - Employees will need to know that their backgrounds will be checked when they are hired and possibly periodically thereafter.
  • Approved Application Policy - Must comply and only install or allow approved applications to be installed on computer equipment they use.
  • Mobile Computer/Device Policy - Users must understand and comply with this policy especiallt when moving mobile devices or storing sensitive data on mobile devices.
  • Software Licensing Policy - Users must understand this policy and not install or have software installed that is not legally licensed.
  • Email Policy - Users must understand this policy and realize that not all file types can be sent through email. Users should know where to go to find out what file types are allowed through email and to determine other email policies that affect them.
  • Data Classification Policy* - Business users must understand that they need to classify the security needs of their data and know how to do that or be able to work with a security officer who can help them.
  • Information Sensitivity Policy* - Users should understand how to handle sensitive data and how any data they own should be protected when it is stored on servers or transmitted.
  • Disaster Recovery Policy* - Users should understand that their critical business processes should be covered in disaster recovery policies and procedures.
  • Third Party Identification Policy* - Users who work with external third parties must understand and comply with this policy. Third parties working on projects must be securely identified and comply with additional policies in order to be allowed to be a caretaker of organizational data.

Must be Aware

  • Password Policy - Users need to understand that their password characteristics must comply with this policy.
  • Remote Access Policy - If users require remote access, they must understand the policy and processes required.
  • Computer Training Policy - Users should have basic computer understanding including how to avoid scams. They should understand that their systems should be updated regularly and their anti-virus program should be running with current virus definitions. Users should be aware of training opportunities.
  • User Privilege Policy - Users should be aware of this policy and realize that standard users will not have unnecessary privileges such as being able to install software. Users should be aware or the process to gain additional privileges if required to perform their job duties.
  • Privacy and Confidentiality Policy - Must understand the need to protect private information.
  • Browser Configuration Policy - Users should be aware that their browser will be configured to prevent compromise of their computer. They should have some familiarity with settings which help secure their browser.
  • Logon Banner Policy - Users should be aware of what the logon banner means.
  • Code of Ethical Conduct Policy - Users must understand the behavior expected regarding ethics including competition, use of funds, disclosure of information, conflict of interest, and external activities.
  • Internet Connection Policy - Users must understand that they are only allowed to connect to the internet using approved connections. They should understand how to get approval if required..
  • Wireless Communication Policy - Users must understand that use of wireless requires approved technologies. They must know how to find the processes required for wireless use and know how to use the technology responsibly.
  • Surf Control Policy - Users should be aware that internet access to insecure or inappropriate sites is blocked and that internet access may be monitored.
  • Asset Control Policy - Users should be aware that the equipment and software they use is tracked in an inventory database.
  • Software Tracking Policy - Users should be aware that the software they use is tracked in an inventory database.
  • Virus Protection Policy - Users should be aware of the anti-virus requirements regarding the product to use, keeping it current, and performing virus scans.
  • Patch Management Policy - Users should be aware that their systems may be periodically updated.
  • Backup and Recovery Policy - Users should be aware that backups on network drives are done and that data stored locally on their workstations may not be backed up or recoverable in the case of a hardware failure.
  • Workstation Configuration Policy - Users should be aware of this policy and understand configuration requirements for their workstation including anti-virus, browser, asset control, patch management, incident response, and disposal.
  • Risk Assessment Policy * - Business users should understand when projects require a risk assessment to be done and what it means.
  • Database Passwords Policy - Users of databases should be aware of this policy.
  • Incident Response Policy - Users should be aware of this policy and know the incident response process. They should know who to call if they perceive a security incident.
  • Extranet Policy* - Business users who require third party organizations to connect to the organizational network should be aware of this policy requirements.
  • Development Life Cycle Policy - Users who work on business projects should be familiar with this policy so they understand how it impacts their projects and business needs. They can therefore plan project schedules appropriately and work better with project managers.
  • Cost Management Policy* - Business users should be familiar with the requirements of tracking costs and who is responsible.
  • IT Human Resource Policy - Users, specifically IT users, should be familiar with IT roles, requirements, and defined IT organizational structure.
  • External Requirements Policy - Users should be aware of external requirements that the organization must meet so they comply in their job role. Items of this type include taxes, compliance with laws, and compliance with contracts.
  • Customer Support Policy - Users should be aware of how the help desk works, especially regarding problem resolution.

* - Business Owners