In this module, you explored policies and practices used by organizations to protect information. There are a variety of policies that are intended to improve the security posture of an organization. These policies include but are not limited to: acceptable use policies, privacy policies, authorized access policies, change and configuration management policies, human resource policies, codes of ethics, organizational security policies, password policies, user education and awareness policies, and user management policies, among many others. Many of the aforementioned policies live within an organization$$s overarching information security policy, although they can stand alone, depending on the size of the organization. The size of the organization can also affect the ways in which roles and responsibilities are determined. For example, a smaller organization could have an IT department of one, where a larger organization will have dedicated roles with distinct skill sets and responsibilities that no other role takes ownership of$.$