In AP Cybersecurity, a workstation security policy is a managerial control that spells out the measures protecting a physical workplace, like locking devices when unattended and using privacy screens, often with tiers based on how sensitive the data handled there is.
A workstation security policy is a written set of rules an organization puts in place to protect the physical space where people work. Think of it as the playbook for what you do at your desk to keep data safe. It's an example of a managerial control, meaning it's a policy and process rather than a physical object like a lock or a fence.
The policy spells out concrete habits: lock your device before stepping away, don't leave sensitive info on screen, use a privacy screen filter so someone walking by can't read your monitor. A key detail from the CED (EK 2.3.A.2) is that the policy may have tiers based on the type of data handled at a workstation. A desk that processes medical records or financial data gets stricter rules than one that doesn't touch anything sensitive.
This term lives in Unit 2: Securing Spaces, specifically Topic 2.3 (Protecting Physical Spaces). It directly supports learning objective AP Cybersecurity 2.3.A, which asks you to identify managerial controls related to physical security. The whole point of Topic 2.3 is that securing a system isn't just firewalls and passwords. The physical room matters too, and the workstation security policy is how an organization writes down its physical-security expectations for the people who actually sit at the machines.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryManagerial Control (Unit 2)
A workstation security policy IS a managerial control. The category is the bucket; the policy is one example in it. Knowing that link helps you classify it correctly on a control-type question.
Physical Control (Unit 2)
The policy tells people to lock their devices, but the actual lock is a physical control. The policy sets the rule; physical controls enforce it in the real world. They work as a team.
Clean Desk Policy (Unit 2)
A clean desk policy (clear sensitive documents before walking away) is basically one specific clause that fits inside the broader workstation security policy. Same goal, narrower scope.
Employee Security Awareness Training (Unit 2)
A policy only works if people follow it, which is why EK 2.3.A.1 pairs it with awareness training. The training teaches the why; the policy states the what.
Expect this term in multiple-choice questions in two flavors. First, classification: you'll be asked what TYPE of control it is, and the answer is a managerial control. Second, examples: you'll see a stem like "Which of the following is an example of a requirement that would be included in a workstation security policy?" and have to pick the right one, such as locking your device before leaving or using a privacy screen filter correctly. Watch for questions that describe a behavior (clearing documents off a desk) and ask you to name the policy. No released FRQ has used this term verbatim, but it supports the kind of physical-security mitigation reasoning that Topic 2.3 builds toward.
A workstation security policy is a managerial control, which is a written rule. A physical control is the tangible thing, like a lock, a cable, or a privacy screen. The policy might REQUIRE a privacy screen, but the screen itself is the physical control. If a question describes a document or a rule, it's managerial; if it describes an object you can touch, it's physical.
A workstation security policy is a managerial control, not a physical object.
It outlines the measures needed to protect a physical workplace, like locking devices and using privacy screens.
The policy can be tiered, so workstations handling sensitive data get stricter rules.
It pairs with employee security awareness training, since a policy only works if people actually follow it.
It lives in Unit 2, Topic 2.3, and supports learning objective AP Cybersecurity 2.3.A.
It's a managerial control that outlines the measures needed to protect a physical workplace, such as locking devices before leaving and using privacy screen filters. The CED notes it can have tiers based on how sensitive the data at a workstation is.
It's a managerial control. It's a written policy that sets rules. The actual locks and privacy screens it requires are physical controls. On the exam, a rule or document is managerial; a tangible object is physical.
A clean desk policy is narrower. It specifically requires clearing sensitive documents off desks before stepping away. A workstation security policy is the broader rulebook for protecting the whole work area, and a clean desk rule can be one part of it.
No. EK 2.3.A.2 says the policy may have tiers based on the type of data handled at a workstation. A desk processing financial or medical records gets stricter requirements than one that handles nothing sensitive.
Common examples include locking your device before leaving it unattended and using a privacy screen filter so passersby can't read your monitor. Multiple-choice questions often ask you to pick which behavior belongs in the policy.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.