This chapter covers three essential IT policies: Acceptable Use Policy (AUP), Bring Your Own Device (BYOD), and Password Policy. These topics fall under CompTIA A+ Core 2 (220-1102) Domain 4.0, Operational Procedures, specifically Objective 4.1: 'Given a scenario, implement best practices associated with documentation and support systems information management.' While direct questions on policies are limited (approximately 5-8% of the exam), understanding these policies is critical for scenario-based questions where you must determine the appropriate policy or its enforcement. This chapter provides the depth needed to answer those questions correctly.
Jump to a section
Think of an organization's IT policies like the rules and systems in a large office building. The Acceptable Use Policy (AUP) is like the building's code of conduct: it says you can use the break room for lunch, but not to store personal furniture. It defines what activities are allowed in common spaces and what materials you can bring in. The password policy is like the lock system on each office door: it sets minimum lock complexity (e.g., must have a deadbolt), how often you must change the lock combination, and that you cannot share your key. The BYOD policy is like allowing employees to use their own briefcases to carry documents: they can use their own device, but IT must inspect the briefcase for prohibited items (malware) before it enters the building, and the briefcase must have a company-approved lock (MDM profile). If an employee leaves, the briefcase must be wiped of all company documents (remote wipe). Just as building security enforces these rules with cameras and ID checks, IT enforces policies with Group Policy, Mobile Device Management (MDM), and network access controls.
What Are IT Policies and Why Do They Exist?
IT policies are formalized rules and guidelines that govern how an organization's technology resources are used, protected, and managed. They serve as the foundation for security, compliance, and operational efficiency. On the 220-1102 exam, you must understand the purpose, key elements, and enforcement mechanisms of AUP, BYOD, and Password Policy. These policies are not optional; they are mandated by regulatory frameworks like GDPR, HIPAA, and PCI DSS, and are part of standard operational procedures.
Acceptable Use Policy (AUP)
An AUP defines what users may and may not do with an organization's IT resources, including computers, networks, email, internet access, and data. It is a legal document that users must acknowledge and agree to before gaining access. The exam expects you to know the typical components:
Prohibited Activities: Illegal activities, harassment, unauthorized access, installation of unapproved software, personal use of resources, and sharing of credentials.
Allowed Uses: Business-related activities, limited personal use (if permitted), and use of approved software.
Consequences: Disciplinary actions up to termination and legal prosecution.
Monitoring and Privacy: Statement that the organization may monitor all activities and that users have no expectation of privacy.
Data Classification: Guidelines for handling sensitive data.
The AUP is typically enforced through technical controls: web filters block prohibited sites, email filters scan for sensitive data, and audit logs track user activity. On the exam, you may be asked to identify the correct policy for a given scenario, e.g., "An employee is streaming video during work hours. Which policy does this violate?" – Answer: AUP.
Bring Your Own Device (BYOD) Policy
BYOD policies allow employees to use their personal devices (smartphones, tablets, laptops) for work purposes. The exam focuses on the security and management aspects. Key components:
Device Eligibility: Which devices are allowed (e.g., iOS, Android, corporate-owned only).
Security Requirements: Mandatory passcodes, encryption, antivirus, and regular updates.
Management: Use of Mobile Device Management (MDM) or Mobile Application Management (MAM) to enforce policies, deploy apps, and wipe data remotely.
Separation of Data: Containerization (e.g., work profile on Android) or sandboxing to keep corporate data separate from personal data.
Support: What level of IT support is provided (e.g., only for work-related issues).
Termination: Process for wiping corporate data when the employee leaves or the device is lost/stolen.
Legal Considerations: Compliance with privacy laws regarding personal devices.
On the exam, you must know the difference between BYOD, COPE (Corporate-Owned Personally Enabled), and CYOD (Choose Your Own Device). For example, "Which policy allows employees to use their own devices but requires MDM enrollment?" – BYOD.
Password Policy
Password policy defines rules for creating, managing, and protecting passwords. It is critical for authentication security. The exam tests specific values and best practices based on industry standards (NIST SP 800-63B, Microsoft's recommendations). Key elements:
Password Length: NIST now recommends a minimum of 8 characters (or 6 if using a password manager), but many organizations use 8-12 characters. The exam often cites 8 characters as a common minimum.
Complexity: Use of uppercase, lowercase, numbers, and special characters. However, NIST discourages arbitrary complexity rules because they lead to predictable patterns (e.g., Password1!). Instead, focus on length and banning common passwords.
Password History: Number of previous passwords that cannot be reused. Typical values: 5-24. The exam may mention 10.
Maximum Age: How often passwords must be changed. Older policies used 30-90 days, but NIST now recommends no periodic changes unless there is a compromise. The exam may still reference 90 days as a common setting.
Account Lockout: Number of failed attempts before lockout (e.g., 5-10) and lockout duration (e.g., 15-30 minutes).
Password Managers: Encouraged for generating and storing complex passwords.
Multi-Factor Authentication (MFA): Often required for privileged accounts.
Enforcement is done via Group Policy in Windows (Local Security Policy or GPO). Key settings:
Enforce password history: 10 passwords remembered
Maximum password age: 90 days
Minimum password length: 8 characters
Minimum password age: 1 day (prevents rapid cycling)
Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset account lockout counter after: 30 minutes
How Policies Interact
These policies are not isolated. For example, a BYOD policy may require a strong password on the device (password policy), and the AUP will prohibit using that device for personal streaming on the corporate network. The exam may present a scenario where you must apply multiple policies. For instance, "An employee's personal phone is lost. Which policy addresses data removal?" – BYOD policy (remote wipe).
Enforcement and Compliance
Policies are enforced through technical controls:
Group Policy: Applies password policies domain-wide.
MDM: Enforces BYOD policies (encryption, passcode, remote wipe).
Web Filters: Enforce AUP by blocking categories (e.g., gambling, social media).
DLP (Data Loss Prevention): Prevents sensitive data from leaving the network.
Non-compliance can lead to disciplinary actions as outlined in the AUP. The exam may ask about the consequences of policy violations.
Exam-Relevant Details
AUP: Must be signed by users before access. Includes monitoring clause.
BYOD: Requires MDM; containerization for data separation; remote wipe capability.
Password Policy: Minimum length 8; account lockout after 5 attempts; password history of 10; maximum age 90 days (though modern guidance changes).
NIST SP 800-63B: Updated guidelines: no periodic changes, no complexity requirements (except length), check against breached password lists.
Common Configurations
Windows Local Security Policy commands:
secpol.mscNavigate to Account Policies > Password Policy and Account Lockout Policy.
For MDM, common solutions include Microsoft Intune, VMware Workspace ONE, and Jamf. The exam expects you to know that MDM enforces policies on mobile devices.
Summary of Key Values
Minimum password length: 8 characters (common), 6 (NIST minimum with password manager)
Password history: 10 remembered
Maximum password age: 90 days (or none per NIST)
Account lockout threshold: 5 attempts
Lockout duration: 30 minutes
These values appear directly in exam questions. Memorize them.
Interaction with Other Technologies
Active Directory: Stores password policies via GPOs.
Azure AD / Microsoft 365: Cloud-based password policies and MFA.
VPN: May require additional authentication (MFA) as per policy.
Email: DLP policies enforce AUP for email content.
Understanding these interactions helps in scenario-based questions where you must choose the correct tool or setting.
Conclusion
IT policies are the backbone of organizational security. The 220-1102 exam tests your ability to identify, apply, and enforce AUP, BYOD, and password policies. Focus on key values, enforcement mechanisms, and common scenarios. Remember that policies must be documented, communicated, and enforced consistently.
Identify Policy Requirements
The first step in implementing IT policies is to identify the organization's security, legal, and operational requirements. For AUP, this includes determining acceptable use of email, internet, and devices. For BYOD, it involves deciding which devices are allowed and what security controls are necessary. For password policy, it means establishing password length, complexity, and expiration based on industry standards (e.g., NIST SP 800-63B). This step involves risk assessment and compliance considerations (e.g., HIPAA, GDPR). The output is a draft policy document that outlines rules, consequences, and enforcement mechanisms.
Create Policy Documentation
Once requirements are identified, formal policy documents are created. The AUP document should clearly state prohibited activities, monitoring practices, and disciplinary actions. The BYOD policy must specify device eligibility, security requirements (encryption, passcode), MDM enrollment, and data separation. The password policy document includes specific technical settings like minimum password length (8 characters), password history (10), lockout threshold (5 attempts), and maximum age (90 days). These documents are written in clear language and include an acknowledgment section for users to sign. The documentation is stored in a central repository (e.g., company intranet) and version-controlled.
Communicate and Train Users
Policies must be communicated to all users before enforcement. This involves distributing the policy documents, conducting training sessions, and obtaining signed acknowledgments. For AUP, training covers prohibited activities and monitoring. For BYOD, users learn about MDM enrollment, device security, and the remote wipe process. For password policy, training emphasizes creating strong passwords, not sharing them, and recognizing phishing attempts. The training can be delivered via email, online courses, or in-person sessions. Acknowledgment is often tracked in a learning management system (LMS) or HR database.
Implement Technical Controls
After communication, technical controls are deployed to enforce policies. For AUP, web filters (e.g., Cisco Umbrella, Microsoft Defender for Office 365) block categories like social media, gambling, and adult content. Email filters scan for sensitive data and block malicious attachments. For BYOD, an MDM solution (e.g., Microsoft Intune) is configured to require passcodes, encrypt devices, and enforce compliance. The MDM pushes policies to devices, and if a device is non-compliant, it can be blocked from accessing corporate resources. For password policy, Group Policy Objects (GPOs) are applied to domain-joined computers to enforce password length, history, and lockout settings. On Azure AD, Conditional Access policies can require MFA.
Monitor and Enforce Compliance
Continuous monitoring is essential to ensure policies are followed. For AUP, logs from web filters, email gateways, and network traffic are reviewed for violations. Automated alerts can be set for repeated infractions. For BYOD, MDM reports show device compliance status; non-compliant devices are quarantined or wiped. For password policy, Active Directory reports show password age and lockout events. Enforcement actions range from warnings to revocation of access. Disciplinary actions follow the AUP. The exam expects you to know that monitoring is a key part of policy enforcement and that violations should be documented.
Enterprise Scenario 1: Financial Institution AUP Enforcement
A large bank implements a strict AUP to comply with regulatory requirements (SOX, PCI DSS). Employees are prohibited from using corporate email for personal communication, accessing social media on work computers, and installing unapproved software. The bank uses a web filter (e.g., Zscaler) that blocks categories like 'Social Networking' and 'Personal Storage'. Email DLP (Data Loss Prevention) scans outgoing emails for credit card numbers and SSNs. When a violation occurs (e.g., an employee tries to access Facebook), the filter logs the attempt. After three violations, the employee is reported to HR. The AUP is signed annually. Common misconfigurations include overly restrictive policies that block legitimate business websites (e.g., LinkedIn for recruiters) or failure to update the filter's category list, leading to false positives.
Enterprise Scenario 2: Healthcare BYOD with MDM
A hospital allows doctors to use personal iPads and iPhones to access electronic health records (EHR) via a BYOD policy. The policy requires: device encryption (FileVault on macOS, BitLocker on Windows), a 6-digit passcode, and enrollment in Microsoft Intune. Intune pushes a compliance policy that checks for jailbroken/rooted devices and requires the device to be updated to the latest iOS version. The EHR app is deployed as a managed app with MAM (Mobile Application Management) to prevent data from being copied to personal apps. If a device is lost, the IT admin can perform a selective wipe, removing only corporate data. Common issues include users disabling location services, which breaks conditional access policies, or attempting to use devices with outdated OS versions that are no longer compliant.
Enterprise Scenario 3: Password Policy in a Large Corporation
A multinational company with 50,000 employees enforces a password policy via Active Directory GPOs: minimum length 10 characters, password history 24, maximum age 60 days, lockout after 5 attempts with 30-minute duration. However, users often write down passwords or use predictable patterns (e.g., MonthYear!). To improve security, the company implements Azure AD Password Protection, which bans common passwords (e.g., Password123, Winter2023). They also require MFA for all users via Azure AD Conditional Access. A common mistake is setting the lockout threshold too low (e.g., 3 attempts), causing excessive lockouts and help desk calls. Another is not enforcing a minimum password age (e.g., 1 day), allowing users to cycle through their password history quickly to reuse an old password.
What the 220-1102 Exam Tests
Objective 4.1: 'Given a scenario, implement best practices associated with documentation and support systems information management.' This includes policies like AUP, BYOD, and password policy. Expect scenario-based questions where you must identify the correct policy or its enforcement mechanism. For example:
"An employee uses a personal laptop for work and stores customer data on it. Which policy is most relevant?" – BYOD.
"A user sets a password that is only 4 characters long. Which policy is violated?" – Password policy.
"An employee streams video during work hours. Which policy does this violate?" – AUP.
Common Wrong Answers and Why
Confusing AUP with BYOD: If a scenario involves personal device usage, candidates often choose AUP. But BYOD specifically addresses the use of personal devices for work. AUP covers all acceptable use, but BYOD is more specific.
Ignoring password history: When asked about preventing password reuse, candidates may choose 'minimum password length' or 'maximum password age'. The correct setting is 'enforce password history'.
Overlooking account lockout: For brute-force attacks, candidates may suggest longer passwords. While length helps, account lockout is the primary defense. The exam may ask: "Which policy setting mitigates brute-force attacks?" – Account lockout threshold.
Misunderstanding NIST guidelines: The exam may reference NIST SP 800-63B. Common mistake: thinking NIST requires periodic password changes. Current NIST guidance says no periodic changes; instead, check against breached lists.
Specific Numbers and Terms
Minimum password length: 8 characters (common), 6 (NIST minimum with password manager)
Password history: 10 remembered (default in Windows)
Maximum password age: 90 days (common), but NIST says no periodic change
Account lockout threshold: 5 attempts
Lockout duration: 30 minutes
Reset lockout counter after: 30 minutes
Edge Cases and Exceptions
Service accounts: Often exempt from password expiration because changing them breaks services. The exam may ask: "Which accounts should have a different password policy?" – Service accounts.
Admin accounts: Should have stricter policies (e.g., longer passwords, MFA).
Guest accounts: Should be disabled or have very limited access.
Password managers: Can generate and store complex passwords; the policy should allow their use.
How to Eliminate Wrong Answers
If a question asks about 'preventing unauthorized personal use of company resources', the answer is always AUP.
If it mentions 'remote wipe of a lost device', the answer is BYOD policy (or MDM).
If it asks about 'setting password complexity', look for 'minimum password length' or 'password must meet complexity requirements'.
If the scenario involves 'sharing passwords', the violation is against password policy (and possibly AUP).
Remember: The exam tests your ability to apply policies to real-world scenarios. Focus on the specific language of each policy and its enforcement.
AUP defines acceptable use of IT resources and must be signed by users.
BYOD policy requires MDM enrollment, encryption, and remote wipe capability.
Password policy minimum length is 8 characters (common), with password history of 10.
Account lockout threshold is typically 5 attempts, with lockout duration of 30 minutes.
Maximum password age is 90 days (though NIST no longer recommends periodic changes).
NIST SP 800-63B emphasizes password length over complexity and bans common passwords.
Service accounts should be exempt from password expiration policies.
Enforcement uses GPO for Windows, MDM for mobile, and web/email filters for AUP.
These come up on the exam all the time. Here's how to tell them apart.
BYOD (Bring Your Own Device)
Employee owns the device; company has less control.
Requires MDM for security enforcement.
Cost-effective for the company; employee bears device cost.
Data separation via containerization or MAM.
Privacy concerns: company can wipe corporate data, not personal.
COPE (Corporate-Owned Personally Enabled)
Company owns the device; full control over security.
Device can be pre-configured with company image.
Company pays for device and service plan.
Single profile for work and personal use; less separation.
Less privacy concern; company can wipe entire device.
Mistake
AUP only applies to internet usage.
Correct
AUP covers all IT resources: computers, email, network, data, and even physical devices. Internet usage is just one part. It also includes software installation, data handling, and communication.
Mistake
BYOD means the company has no control over the device.
Correct
BYOD requires the device to be enrolled in MDM, which enforces security policies like encryption, passcode, and remote wipe. The company can even wipe corporate data selectively.
Mistake
Password complexity (uppercase, lowercase, numbers, symbols) is the most important factor.
Correct
NIST SP 800-63B now states that password length is more important than complexity. Long passphrases are stronger. Complexity rules often lead to predictable patterns (e.g., Password1!).
Mistake
Password expiration every 30 days is always more secure.
Correct
NIST no longer recommends periodic password changes unless there is evidence of compromise. Frequent changes lead to weaker passwords and user frustration. Only change when necessary.
Mistake
Account lockout prevents all brute-force attacks.
Correct
Lockout helps, but attackers can use distributed attacks (e.g., botnets) to try a few passwords per account. Also, lockout can be bypassed if the attacker knows the lockout threshold and stays below it. MFA is a stronger defense.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AUP (Acceptable Use Policy) governs how all IT resources (computers, network, email) can be used, regardless of ownership. It covers prohibited activities like personal use, harassment, and unauthorized software. BYOD (Bring Your Own Device) policy specifically addresses the use of personal devices for work, including security requirements (MDM, encryption) and data separation. In short, AUP is broad, BYOD is specific to personal devices. On the exam, if a scenario involves a personal device, BYOD is likely the answer.
The default Windows password history setting is 10 passwords remembered. This prevents users from reusing any of the last 10 passwords. You can configure this via Group Policy (Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy > Enforce password history). The exam may test this value, so remember 10.
NIST SP 800-63B recommends a minimum of 8 characters for user-chosen passwords, or 6 characters if the password is randomly generated by a password manager. They also recommend checking passwords against a list of commonly used, compromised passwords. The exam may reference 8 characters as a common minimum, but also be aware of the NIST guidelines.
Account lockout disables an account after a specified number of failed login attempts (e.g., 5). This prevents an attacker from guessing thousands of passwords in a short time. However, it can be bypassed by slow, distributed attacks or by targeting multiple accounts. The lockout duration (e.g., 30 minutes) gives time for the user to notice and report. On the exam, remember that lockout threshold is typically 5 attempts.
MDM (Mobile Device Management) manages the entire device, enforcing policies like encryption, passcode, and remote wipe. It is used in BYOD and COPE. MAM (Mobile Application Management) manages only specific applications, protecting corporate data within those apps without controlling the whole device. MAM is often used with BYOD to separate work and personal data. On the exam, if the scenario requires controlling only the app, choose MAM; for full device control, choose MDM.
According to NIST SP 800-63B (2020), periodic password changes are no longer recommended unless there is evidence of compromise. Frequent changes lead to weaker passwords and user fatigue. However, many legacy policies still enforce 90-day expiration. The exam may present both views, but the modern best practice is to only change passwords when compromised. Know that the exam might ask about 'best practice' or 'NIST recommendation'.
Containerization is a method of separating corporate data from personal data on a mobile device. It creates a secure, encrypted container (e.g., Android Work Profile or iOS Managed Open In) where corporate apps and data reside. The container is managed by MDM/MAM, and IT can wipe the container without affecting personal data. This is a key feature of BYOD policies to address privacy concerns.
You've just covered IT Policies: AUP, BYOD, Password Policy — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?