An acceptable use policy (AUP) is a managerial control that spells out the rules for how employees are allowed to use an organization's devices, networks, and physical spaces, reducing risk by setting clear expectations for behavior.
An acceptable use policy (AUP) is a written set of rules that tells employees what they can and can't do with an organization's technology and facilities. Think of it as the rulebook handed to everyone on day one: don't plug in random USB drives, don't badge strangers into restricted areas, lock your screen when you walk away, don't use the company network for sketchy stuff.
In AP Cybersecurity terms, an AUP is a managerial control (a defense built from rules and human behavior, not hardware or software). It works alongside things like the workstation security policy and security awareness training described in EK 2.3.A.1 and EK 2.3.A.2. The whole point is to shape how people behave so that human mistakes don't become security holes. A locked server cabinet stops a thief, but an AUP stops an employee from accidentally letting that thief in.
This term lives in Unit 2: Securing Spaces, specifically topic 2.3 Protecting Physical Spaces. It supports learning objective AP Cybersecurity 2.3.A, which asks you to identify managerial controls related to physical security. An AUP is the classic example of a control that protects systems by governing people rather than installing equipment. It also connects to 2.3.B, since clear usage rules are one way to mitigate risks that come from human vulnerabilities (like badging someone in or falling for phishing). On the exam, recognizing an AUP as a managerial (not technical or physical) control is the skill being tested.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryManagerial Control (Unit 2)
An AUP IS a managerial control. The category is the parent, and the AUP is one of the most common examples. If a question describes a written rule shaping employee behavior, you're looking at a managerial control.
Workstation Security Policy (Unit 2)
Both are written policies under topic 2.3, and they often overlap. A workstation security policy focuses on protecting a physical workspace (locking devices, data tiers), while an AUP covers the broader behavior around using all of the organization's resources.
Clean Desk Policy (Unit 2)
A clean desk policy is a narrower cousin that says don't leave sensitive papers or unlocked devices out in the open. An AUP often contains or references rules like this, so they show up together as managerial defenses against physical snooping.
Security Awareness Training (Unit 2)
An AUP is the rulebook; training is how you teach it. EK 2.3.A.1 pairs them, because a policy nobody understands does nothing. Training makes sure employees actually know not to badge strangers in or click phishing links.
Expect this on multiple-choice questions that ask you to classify a control as managerial, physical, or technical. An AUP is always managerial, because it's a rule about behavior, not a lock or a piece of software. A stem might describe a company rolling out a document that prohibits personal use of work devices and asks what type of control it is. You should be able to tell an AUP apart from a card reader (physical/detective) or antivirus (technical). No released FRQ uses this term word for word, but it fits the kind of question where you propose mitigation strategies for human-driven physical vulnerabilities under objective 2.3.B.
Both are written managerial controls in topic 2.3, which makes them easy to mix up. A workstation security policy is narrow: it protects a physical workspace, often with tiers based on the data handled there, and may require locking devices before stepping away. An acceptable use policy is broader, covering how employees may use all company technology and resources, not just one desk.
An acceptable use policy is a managerial control, meaning it defends systems through written rules and human behavior, not hardware or software.
It belongs to Unit 2, topic 2.3, and supports learning objective AP Cybersecurity 2.3.A on identifying managerial controls for physical security.
The AUP works alongside security awareness training, because employees need to actually understand the rules for them to matter.
On the exam, if a scenario describes a document setting rules for how employees use company technology, classify it as managerial, not physical or technical.
An AUP is broader than a workstation security policy or clean desk policy, which target specific spaces or behaviors.
It's a written set of rules telling employees how they're allowed to use an organization's devices, networks, and facilities. In CED terms, it's a managerial control under topic 2.3 that reduces risk by shaping human behavior.
No. It's a managerial control, because it governs people through rules rather than enforcing anything with software (technical) or hardware like locks and fences (physical). This classification is exactly what MCQs tend to test.
An AUP is broad and covers how employees use all of the organization's technology and resources. A workstation security policy is narrow, focusing on protecting a specific physical workspace and the data handled there, sometimes with security tiers.
Because most security failures involve people, not just machines. A clear policy plus training stops employees from making risky mistakes like badging in strangers, leaving devices unlocked, or falling for phishing, which is the human side of physical security in 2.3.A.
In Unit 2: Securing Spaces, topic 2.3 Protecting Physical Spaces. It's an example of a managerial control under learning objective AP Cybersecurity 2.3.A and supports the mitigation thinking in 2.3.B.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.