---
title: "Security Policy — AP Cybersecurity Definition & Exam Guide"
description: "A security policy is a written rule set that tells employees how to protect data and physical spaces. Learn how it shows up in AP Cybersecurity Unit 2."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/security-policy"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 2"
---

# Security Policy — AP Cybersecurity Definition & Exam Guide

## Definition

In AP Cybersecurity, a security policy is a written set of rules that defines how an organization protects its data, devices, and physical spaces. The workstation security policy (CED 2.3.A) is the key example: it spells out measures like locking devices and using privacy screens.

## What It Is

A security policy is a written document that tells everyone in an organization what they have to do to keep things secure. It's not a piece of hardware or [software](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink"). It's a rule book. That makes it a **[managerial control](/ap-cybersecurity/key-terms/managerial-control "fv-autolink")**, meaning it works by directing human behavior instead of physically blocking an attacker.

The version you'll see most in [Unit 2](/ap-cybersecurity/unit-2 "fv-autolink") is the **workstation security policy** (EK 2.3.A.2). It lays out the steps needed to protect a physical workspace, like locking your device before you walk away, using a privacy screen filter so people can't shoulder-surf your screen, and clearing sensitive papers off your desk. A good workstation policy can even have tiers, so a desk handling top-secret data gets stricter rules than one handling public info. The whole point is to turn "be careful" into specific, enforceable requirements.

## Why It Matters

Security policy lives in **Unit 2: Securing Spaces**, specifically [topic 2.3](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") (Protecting Physical Spaces). It's the backbone of learning objective **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 2.3.A**, which asks you to identify managerial controls related to physical security. While locks and fences (the physical controls in 2.3.B) stop intruders directly, the security policy is what makes humans behave securely. That distinction between controlling people and controlling things is a recurring theme across the whole course, so nailing it here pays off later.

## Connections

### [Managerial Control (Unit 2)](/ap-cybersecurity/key-terms/managerial-control)

A security policy IS a type of managerial control. [Managerial controls](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") work through rules and people, not hardware. If you can identify a security policy as managerial, you've already answered half the control-classification questions in 2.3.

### [Clean Desk Policy (Unit 2)](/ap-cybersecurity/key-terms/clean-desk-policy)

A [clean desk policy](/ap-cybersecurity/key-terms/clean-desk-policy "fv-autolink") is basically one clause inside a broader workstation security policy. It requires you to clear sensitive documents off your desk before stepping away, which is the exact scenario tested in practice questions on workstation policies.

### [Acceptable Use Policy (Unit 2)](/ap-cybersecurity/key-terms/acceptable-use-policy)

Both are written security policies, but they aim at different behavior. A workstation policy protects the physical desk and device, while an [acceptable use policy](/ap-cybersecurity/key-terms/acceptable-use-policy "fv-autolink") spells out how you're allowed to use company systems and the internet.

### [Physical Control (Unit 2)](/ap-cybersecurity/key-terms/physical-control)

Physical controls like fencing, locks, and card readers (EK 2.3.B.2 through B.4) are the hardware side; the security policy is the written rule that tells employees when and how to use them. They work as a pair.

## On the AP Exam

Expect multiple-choice questions that hand you a scenario and ask you to name the policy or control type. One common stem describes clearing documents off a desk and asks which policy that is (answer: clean desk policy, part of a workstation security policy). Another gives you a list and asks which item belongs in a workstation security policy, like locking devices or using a privacy screen filter correctly. The skill is matching the described behavior to the right policy or control category. No released FRQ has used "security policy" word-for-word, but the term supports the kind of mitigation-strategy reasoning that 2.3.B questions reward, where you pick a control to address a physical vulnerability.

## security policy vs physical control

A security policy is a written rule (managerial), while a physical control is a tangible object like a lock, fence, or card reader. Easy test: if you can read it, it's a policy; if you can touch it, it's a physical control. A policy might require physical controls, but it isn't one itself.

## Key Takeaways

- A security policy is a written rule set, which makes it a managerial control rather than a physical or technical one.
- The workstation security policy is the main example in CED 2.3.A and can have tiers based on how sensitive the data at a workstation is.
- Typical workstation policy requirements include locking devices before leaving, using privacy screen filters, and keeping a clean desk.
- Policies control human behavior; physical controls like locks and fences block attackers directly. The exam tests whether you can tell them apart.
- When a multiple-choice scenario describes a written rule employees must follow, the answer is almost always a policy or managerial control.

## FAQs

### What is a security policy in AP Cybersecurity?

It's a written document that tells employees what they must do to protect data, devices, and physical spaces. The workstation security policy in CED 2.3.A is the key example, covering things like locking your screen and using a privacy filter.

### Is a security policy a physical control?

No. A security policy is a managerial control because it works through written rules and human behavior. Locks, fences, and card readers are the physical controls; the policy is what tells people to use them.

### How is a workstation security policy different from a clean desk policy?

A clean desk policy is one specific requirement, clearing sensitive papers off your desk, while a workstation security policy is the broader document that may include the clean desk rule plus locking devices and using privacy screens.

### What goes in a workstation security policy?

Common requirements are locking devices before stepping away, using privacy screen filters to stop shoulder-surfing, and tiering security based on how sensitive the data handled at that desk is.

### Is security policy on the AP Cybersecurity exam?

Yes. It shows up in Unit 2 under topic 2.3, and multiple-choice questions test whether you can identify a workstation or clean desk policy and classify it as a managerial control.

## Related Study Guides

- [2.3 Protecting Physical Spaces](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/security-policy#resource","name":"Security Policy — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/security-policy","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/security-policy#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:26.891Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/security-policy#term","name":"security policy","description":"In AP Cybersecurity, a security policy is a written set of rules that defines how an organization protects its data, devices, and physical spaces. The workstation security policy (CED 2.3.A) is the key example: it spells out measures like locking devices and using privacy screens.","url":"https://fiveable.me/ap-cybersecurity/key-terms/security-policy","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a security policy in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a written document that tells employees what they must do to protect data, devices, and physical spaces. The workstation security policy in CED 2.3.A is the key example, covering things like locking your screen and using a privacy filter."}},{"@type":"Question","name":"Is a security policy a physical control?","acceptedAnswer":{"@type":"Answer","text":"No. A security policy is a managerial control because it works through written rules and human behavior. Locks, fences, and card readers are the physical controls; the policy is what tells people to use them."}},{"@type":"Question","name":"How is a workstation security policy different from a clean desk policy?","acceptedAnswer":{"@type":"Answer","text":"A clean desk policy is one specific requirement, clearing sensitive papers off your desk, while a workstation security policy is the broader document that may include the clean desk rule plus locking devices and using privacy screens."}},{"@type":"Question","name":"What goes in a workstation security policy?","acceptedAnswer":{"@type":"Answer","text":"Common requirements are locking devices before stepping away, using privacy screen filters to stop shoulder-surfing, and tiering security based on how sensitive the data handled at that desk is."}},{"@type":"Question","name":"Is security policy on the AP Cybersecurity exam?","acceptedAnswer":{"@type":"Answer","text":"Yes. It shows up in Unit 2 under topic 2.3, and multiple-choice questions test whether you can identify a workstation or clean desk policy and classify it as a managerial control."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 2","item":"https://fiveable.me/ap-cybersecurity/unit-2"},{"@type":"ListItem","position":4,"name":"security policy"}]}]}
```
