In AP Cybersecurity, a security policy is a written set of rules that defines how an organization protects its data, devices, and physical spaces. The workstation security policy (CED 2.3.A) is the key example: it spells out measures like locking devices and using privacy screens.
A security policy is a written document that tells everyone in an organization what they have to do to keep things secure. It's not a piece of hardware or software. It's a rule book. That makes it a managerial control, meaning it works by directing human behavior instead of physically blocking an attacker.
The version you'll see most in Unit 2 is the workstation security policy (EK 2.3.A.2). It lays out the steps needed to protect a physical workspace, like locking your device before you walk away, using a privacy screen filter so people can't shoulder-surf your screen, and clearing sensitive papers off your desk. A good workstation policy can even have tiers, so a desk handling top-secret data gets stricter rules than one handling public info. The whole point is to turn "be careful" into specific, enforceable requirements.
Security policy lives in Unit 2: Securing Spaces, specifically topic 2.3 (Protecting Physical Spaces). It's the backbone of learning objective AP Cybersecurity 2.3.A, which asks you to identify managerial controls related to physical security. While locks and fences (the physical controls in 2.3.B) stop intruders directly, the security policy is what makes humans behave securely. That distinction between controlling people and controlling things is a recurring theme across the whole course, so nailing it here pays off later.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryManagerial Control (Unit 2)
A security policy IS a type of managerial control. Managerial controls work through rules and people, not hardware. If you can identify a security policy as managerial, you've already answered half the control-classification questions in 2.3.
Clean Desk Policy (Unit 2)
A clean desk policy is basically one clause inside a broader workstation security policy. It requires you to clear sensitive documents off your desk before stepping away, which is the exact scenario tested in practice questions on workstation policies.
Acceptable Use Policy (Unit 2)
Both are written security policies, but they aim at different behavior. A workstation policy protects the physical desk and device, while an acceptable use policy spells out how you're allowed to use company systems and the internet.
Physical Control (Unit 2)
Physical controls like fencing, locks, and card readers (EK 2.3.B.2 through B.4) are the hardware side; the security policy is the written rule that tells employees when and how to use them. They work as a pair.
Expect multiple-choice questions that hand you a scenario and ask you to name the policy or control type. One common stem describes clearing documents off a desk and asks which policy that is (answer: clean desk policy, part of a workstation security policy). Another gives you a list and asks which item belongs in a workstation security policy, like locking devices or using a privacy screen filter correctly. The skill is matching the described behavior to the right policy or control category. No released FRQ has used "security policy" word-for-word, but the term supports the kind of mitigation-strategy reasoning that 2.3.B questions reward, where you pick a control to address a physical vulnerability.
A security policy is a written rule (managerial), while a physical control is a tangible object like a lock, fence, or card reader. Easy test: if you can read it, it's a policy; if you can touch it, it's a physical control. A policy might require physical controls, but it isn't one itself.
A security policy is a written rule set, which makes it a managerial control rather than a physical or technical one.
The workstation security policy is the main example in CED 2.3.A and can have tiers based on how sensitive the data at a workstation is.
Typical workstation policy requirements include locking devices before leaving, using privacy screen filters, and keeping a clean desk.
Policies control human behavior; physical controls like locks and fences block attackers directly. The exam tests whether you can tell them apart.
When a multiple-choice scenario describes a written rule employees must follow, the answer is almost always a policy or managerial control.
It's a written document that tells employees what they must do to protect data, devices, and physical spaces. The workstation security policy in CED 2.3.A is the key example, covering things like locking your screen and using a privacy filter.
No. A security policy is a managerial control because it works through written rules and human behavior. Locks, fences, and card readers are the physical controls; the policy is what tells people to use them.
A clean desk policy is one specific requirement, clearing sensitive papers off your desk, while a workstation security policy is the broader document that may include the clean desk rule plus locking devices and using privacy screens.
Common requirements are locking devices before stepping away, using privacy screen filters to stop shoulder-surfing, and tiering security based on how sensitive the data handled at that desk is.
Yes. It shows up in Unit 2 under topic 2.3, and multiple-choice questions test whether you can identify a workstation or clean desk policy and classify it as a managerial control.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.