1. Personnel Security Policies
    1. Mandatory Vacations
      1. An organization requires that employees take a certain number of days of vacation consecutively, helping to detect potential malicious activity such as fraud or embezzlement.
    2. Job Rotation
      1. More than one person is required to complete a particular task. This distributes control over a system, infrastructure, or particular task.
      2. Job rotation is one of the checks and balances that might be employed to enforce the proper separation of duties.
    3. Separation of Duties
      1. More than one person is required to complete a particular task or operation.
    4. Clean Desk Policy
      1. All documents, electronics, personally owned devices, and other items be put away (or locked away) when the user is not at his or her desk, or other work area.
    5. Role-Based Awareness Training
      1. Data Owner
      2. Systems Administrator
      3. System Owner
      4. User
      5. Privileged User
      6. Executive User
    6. Non-Disclosure Agreement (NDA)
      1. When signing this agreement, the signatory accepts and acknowledges specific rules of conduct, behavior, and/or nondisclosure of sensitive or privileged information.
    7. Onboarding and Offboarding
      1. Onboarding:
        1. when a new employee is added to an organization, and to its identity and access management system.
        2. Incorporates training, formal meetings, lectures, and human resources employee handbooks and videos.
        3. It can also be implemented when a person changes roles within an organization.
        4. Ultimately provides better job performance and higher job satisfaction.
      2. Offboarding (Termination Policies):
        1. Exit Interviews
        2. Data Storage
        3. Account Termination
    8. User Education and Awareness Training
      1. Training meant to educate employees about their responsibilities within the organization regarding security, as well as programs meant to remind employees of training already learned.
    9. Acceptable Use Policy (AUP)
      1. A policy that defines the rules that restrict how a computer, network, or other system may be used.
    10. Change Management
      1. A structured way of changing the state of a computer system, network, or IT procedure.
    11. Due Diligence
      1. Ensuring that IT infrastructure risks are known and managed.
    12. Due Care
      1. The mitigation action that an organization takes to defend against the risks that have been uncovered during due diligence.
    13. Due Process
      1. The principle that an organization must respect and safeguard personnel's rights. This is to protect the employee from the state and from frivolous lawsuits.
  2. General Security Policies
    1. Social Media Networks, Applications, and Personal Email
      1. Data Loss Prevention
        1. Social Engineering Threats
        2. Malware
      2. Acceptable Use Policies and NDA Breach