Rules of Behavior

Any information security policy and Site Security Plan (SSP) should contain a section known as “Rules of Behavior” that establishes appropriate use and behavior of system users and the consequences of non-compliance.

From 800-100, Appendix B, FAQs:

Q – What are “Rules of Behavior”?
A – The rules should state the consequences of inconsistent behavior or noncompliance and identify the formal method used by the organization to document the user’s understanding of the rules and associated consequences. The rules of behavior should be made available to all users before they receive authorization for access to the system.

Federal agencies are required to have rules of behavior.

800-53 security control PL-4 RULES OF BEHAVIOR

The organization establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information.

The rules of behavior should:

Delineate responsibilities, expected use of system, and behavior of all users
Describe appropriate limits on interconnections
Define service provisions and restoration priorities
Be clear on consequences of behavior not consistent with rules
Covers the following topics:
- Work at home
- Dial-in access
- Connection to the Internet
- Use of copyrighted work
- Unofficial use of government equipment
- Assignment and limitations of system privileges and individual accountability
- Password usage
- Searching databases and divulging information