types of privileges or access rights

                    Assists in the identification and assessment of the common
                    security controls where the information resides.







                             NIST SP 800-18 frequently uses the phrase “rules of

                  behavior,” which is effectively the same as an acceptable use policy
                  (AUP). Both outline the responsibilities and expected behavior of
                  individuals and state the consequences of not complying with the
                  rules or AUP. Additionally, individuals are required to periodically
                  acknowledge that they have read, understand, and agree to abide

                  by the rules or AUP. Many organizations post these on a website
                  and allow users to acknowledge that they understand and agree to
                  abide by them using an online electronic digital signature.




               Asset Owners

               The asset owner (or system owner) is the person who owns the asset or
               system that processes sensitive data. NIST SP 800-18 outlines the
               following responsibilities for the system owner:


                    Develops a system security plan in coordination with information
                    owners, the system administrator, and functional end users

                    Maintains the system security plan and ensures that the system is
                    deployed and operated according to the agreed-upon security
                    requirements

                    Ensures that system users and support personnel receive
                    appropriate security training, such as instruction on rules of

                    behavior (or an AUP)

                    Updates the system security plan whenever a significant change
                    occurs

                    Assists in the identification, implementation, and assessment of
                    the common security controls