---
title: "Acceptable Use Policy — AP Cybersecurity Definition"
description: "An acceptable use policy is a managerial control that sets the rules for how employees use an organization's systems, central to Unit 2's physical security defenses."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/acceptable-use-policy"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 2"
---

# Acceptable Use Policy — AP Cybersecurity Definition

## Definition

An acceptable use policy (AUP) is a managerial control that spells out the rules for how employees are allowed to use an organization's devices, networks, and physical spaces, reducing risk by setting clear expectations for behavior.

## What It Is

An **acceptable use policy (AUP)** is a written set of rules that tells employees what they can and can't do with an organization's technology and facilities. Think of it as the rulebook handed to everyone on day one: don't plug in random USB drives, don't badge strangers into restricted areas, [lock](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") your screen when you walk away, don't use the company network for sketchy stuff.

In [AP Cybersecurity](/ap-cybersecurity "fv-autolink") terms, an AUP is a **[managerial control](/ap-cybersecurity/key-terms/managerial-control "fv-autolink")** (a defense built from rules and human behavior, not hardware or software). It works alongside things like the **workstation security policy** and security awareness training described in EK 2.3.A.1 and EK 2.3.A.2. The whole point is to shape how people behave so that human mistakes don't become security holes. A locked server cabinet stops a thief, but an AUP stops an employee from accidentally letting that thief in.

## Why It Matters

This term lives in **[Unit 2](/ap-cybersecurity/unit-2 "fv-autolink"): Securing Spaces**, specifically topic 2.3 Protecting Physical Spaces. It supports learning objective **AP Cybersecurity 2.3.A**, which asks you to identify managerial controls related to physical security. An AUP is the classic example of a control that protects systems by governing people rather than installing equipment. It also connects to 2.3.B, since clear usage rules are one way to mitigate risks that come from human [vulnerabilities](/ap-cybersecurity/key-terms/vulnerability "fv-autolink") (like badging someone in or falling for phishing). On the exam, recognizing an AUP as a managerial (not technical or physical) control is the skill being tested.

## Connections

### [Managerial Control (Unit 2)](/ap-cybersecurity/key-terms/managerial-control)

An AUP IS a managerial control. The category is the parent, and the AUP is one of the most common examples. If a question describes a written rule shaping employee behavior, you're looking at a managerial control.

### [Workstation Security Policy (Unit 2)](/ap-cybersecurity/key-terms/workstation-security-policy)

Both are written policies under topic 2.3, and they often overlap. A [workstation security policy](/ap-cybersecurity/key-terms/workstation-security-policy "fv-autolink") focuses on protecting a physical workspace (locking devices, data tiers), while an AUP covers the broader behavior around using all of the organization's resources.

### [Clean Desk Policy (Unit 2)](/ap-cybersecurity/key-terms/clean-desk-policy)

A [clean desk policy](/ap-cybersecurity/key-terms/clean-desk-policy "fv-autolink") is a narrower cousin that says don't leave sensitive papers or unlocked devices out in the open. An AUP often contains or references rules like this, so they show up together as managerial defenses against physical snooping.

### Security Awareness Training (Unit 2)

An AUP is the rulebook; training is how you teach it. EK 2.3.A.1 pairs them, because a policy nobody understands does nothing. Training makes sure employees actually know not to badge strangers in or click [phishing](/ap-cybersecurity/key-terms/phishing "fv-autolink") links.

## On the AP Exam

Expect this on multiple-choice questions that ask you to classify a control as managerial, physical, or technical. An AUP is always managerial, because it's a rule about behavior, not a lock or a piece of software. A stem might describe a company rolling out a document that prohibits personal use of work devices and asks what type of control it is. You should be able to tell an AUP apart from a card reader (physical/detective) or antivirus (technical). No released FRQ uses this term word for word, but it fits the kind of question where you propose mitigation strategies for human-driven physical vulnerabilities under objective 2.3.B.

## acceptable use policy vs workstation security policy

Both are written managerial controls in topic 2.3, which makes them easy to mix up. A workstation security policy is narrow: it protects a physical workspace, often with tiers based on the data handled there, and may require locking devices before stepping away. An acceptable use policy is broader, covering how employees may use all company technology and resources, not just one desk.

## Key Takeaways

- An acceptable use policy is a managerial control, meaning it defends systems through written rules and human behavior, not hardware or software.
- It belongs to Unit 2, topic 2.3, and supports learning objective AP Cybersecurity 2.3.A on identifying managerial controls for physical security.
- The AUP works alongside security awareness training, because employees need to actually understand the rules for them to matter.
- On the exam, if a scenario describes a document setting rules for how employees use company technology, classify it as managerial, not physical or technical.
- An AUP is broader than a workstation security policy or clean desk policy, which target specific spaces or behaviors.

## FAQs

### What is an acceptable use policy in AP Cybersecurity?

It's a written set of rules telling employees how they're allowed to use an organization's devices, networks, and facilities. In CED terms, it's a managerial control under topic 2.3 that reduces risk by shaping human behavior.

### Is an acceptable use policy a technical control?

No. It's a managerial control, because it governs people through rules rather than enforcing anything with software (technical) or hardware like locks and fences (physical). This classification is exactly what MCQs tend to test.

### How is an acceptable use policy different from a workstation security policy?

An AUP is broad and covers how employees use all of the organization's technology and resources. A workstation security policy is narrow, focusing on protecting a specific physical workspace and the data handled there, sometimes with security tiers.

### Why do organizations need an acceptable use policy?

Because most security failures involve people, not just machines. A clear policy plus training stops employees from making risky mistakes like badging in strangers, leaving devices unlocked, or falling for phishing, which is the human side of physical security in 2.3.A.

### Where does the acceptable use policy show up in the AP Cybersecurity CED?

In Unit 2: Securing Spaces, topic 2.3 Protecting Physical Spaces. It's an example of a managerial control under learning objective AP Cybersecurity 2.3.A and supports the mitigation thinking in 2.3.B.

## Related Study Guides

- [2.3 Protecting Physical Spaces](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/acceptable-use-policy#resource","name":"Acceptable Use Policy — AP Cybersecurity Definition","url":"https://fiveable.me/ap-cybersecurity/key-terms/acceptable-use-policy","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/acceptable-use-policy#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:28.741Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/acceptable-use-policy#term","name":"acceptable use policy","description":"An acceptable use policy (AUP) is a managerial control that spells out the rules for how employees are allowed to use an organization's devices, networks, and physical spaces, reducing risk by setting clear expectations for behavior.","url":"https://fiveable.me/ap-cybersecurity/key-terms/acceptable-use-policy","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is an acceptable use policy in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a written set of rules telling employees how they're allowed to use an organization's devices, networks, and facilities. In CED terms, it's a managerial control under topic 2.3 that reduces risk by shaping human behavior."}},{"@type":"Question","name":"Is an acceptable use policy a technical control?","acceptedAnswer":{"@type":"Answer","text":"No. It's a managerial control, because it governs people through rules rather than enforcing anything with software (technical) or hardware like locks and fences (physical). This classification is exactly what MCQs tend to test."}},{"@type":"Question","name":"How is an acceptable use policy different from a workstation security policy?","acceptedAnswer":{"@type":"Answer","text":"An AUP is broad and covers how employees use all of the organization's technology and resources. A workstation security policy is narrow, focusing on protecting a specific physical workspace and the data handled there, sometimes with security tiers."}},{"@type":"Question","name":"Why do organizations need an acceptable use policy?","acceptedAnswer":{"@type":"Answer","text":"Because most security failures involve people, not just machines. A clear policy plus training stops employees from making risky mistakes like badging in strangers, leaving devices unlocked, or falling for phishing, which is the human side of physical security in 2.3.A."}},{"@type":"Question","name":"Where does the acceptable use policy show up in the AP Cybersecurity CED?","acceptedAnswer":{"@type":"Answer","text":"In Unit 2: Securing Spaces, topic 2.3 Protecting Physical Spaces. It's an example of a managerial control under learning objective AP Cybersecurity 2.3.A and supports the mitigation thinking in 2.3.B."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 2","item":"https://fiveable.me/ap-cybersecurity/unit-2"},{"@type":"ListItem","position":4,"name":"acceptable use policy"}]}]}
```
