Navigate

CCI-000592

CCI-000592 Definition

The organization establishes the rules describing the responsibilities and expected behavior, with regard to information and information system usage, for individuals requiring access to the information system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must develop and document rules that describe information system user responsibilities and expected behavior with regard to information and information system usage, acceptable use policy (AUP). Organizations should reference Joint Ethics Regulations (DoD 5500.7-R) when developing this policy.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the organization's AUP to ensure the organization has clearly defined and established rules describing information system user responsibilities and expected behavior with regard to information and information system usage.

Compelling Evidence

1.) Acceptable use policy (AUP) which includes user responsibilities and expected behavior. It should be approved by the system owner, authorizing authority, and appropriate legal counsel and address both information system usage and information usage.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000592.

Control	Description
PL-4	The organization: PL-4a.: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4b.: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; PL-4c.: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and PL-4d.: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

Control

Description

PL-4

The organization:

PL-4a.: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

PL-4b.: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

PL-4c.: Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and

PL-4d.: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.