In this lesson, instructor Kelly Handerhan will explain the policies that we use to protect the organizations C-I-A. Separation of duties: works very closely with the idea of least privilege and "need to know." An employee will only be given the rights to perform the activities that are necessary for their job. It mitigates the success of exploits such as social engineering. Acceptable Use Policy (AUP): the organization dictates what the acceptable use of company resources is. Mandatory Vacations - is an effective detective tool. If there has been a spate of unexplained security breaches or other untoward activity; sometimes separating an employee from the company for a specified period will demonstrate who the culprit is. Job rotation - is an effective way to cross-train staff to ensure redundancy in the event a particular staff member is absent for some reason. Least privilege - is much like separation of duties and ensures data security by preventing any one employee from being to access more information or resources than they are required to in order to perform their assigned duties. Need to know: ensures that no staff member possesses more information than they are required to in order to efficiently perform their job. Dual control: is used when a task or function is so sensitive that it is more secure to split the task between two team members. Computer ownership: who owns a company laptop? Onboarding/offboarding: how do we bring people in and let them go from the organization?