HRS-02: Acceptable Use of Technology Policy and Procedures

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, HRS-08: Technology Acceptable Use.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets. Review and update the policies and procedures at least annually.

Implementation Guidance

The organization should establish a policy on acceptable use requirements and standards for protecting and handling the organizational assets and communicate them as sufficient to personnel. In addition, the policy should provide clear direction on how individuals should utilize these assets. Personnel should acknowledge their understanding and accept responsibility to use information processing resources. The policy should include, but is not limited to:

  1. Expected security behaviors of individuals.
  2. Unacceptable behavior of individuals.
  3. Permitted use of the organization's assets.
  4. Prohibited use of the organization’s assets.
  5. Organizational monitoring activities.

Policies and procedures should be reviewed and updated at least annually or whenever there are significant changes in the environment, and personnel should be retrained when these changes occur

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Verify that a definition of organizationally-owned or managed assets exists, and is implemented.
  3. Verify, via Interviews or otherwise, that the policy is communicated to users.
  4. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.