PL-4 Rules of Behavior
Description
This Control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users.
Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems.
Rules of behavior for both organizational and nonorganizational users can also be established in AC-8, System Use Notification. PL-4(2) (the signed acknowledgment portion of this Control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior.
Organizations can use electronic signatures for acknowledging rules of behavior.
Applicability
This Control applies to all information resource owners, custodians, and users.
Implementation
TAMU-CC Office of Information Security (OIS) defines scope, behavior, and practices, compliance monitoring pertaining to users of information resources:
- Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage. TAMU-CC documents acceptable use guidelines [PDF];
- Ensures users formally acknowledge, agree to abide by, and adhere to prudent and responsible Internet use practices (including reasonable personal use) outlined in Texas A&M System Policy 33.04, Use of System Resources [TAMUS 33.04 [PDF]], and the member’s acceptable use guidelines;
- Reviews and updates the rules of behavior annually;
- Requires individuals who have acknowledged a previous version of the rules of behavior to read and reacknowledge when the rules of behavior are revised/updated;
- Establishes a documented process for authorization to monitor member information resources; and
Monitors information resources in accordance with Texas A&M System Policy 29.01, Information Resources [TAMUS 29.01 [PDF]].
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019