Search in ISMS Guides


Monday, October 15, 2007

Sample Security Policies

HSPD-12 Privacy Policy -
Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
Information Security Policies -
Electronic resource usage and security policies from the University of Pennsylvania.
Information Security Policies -
SANS consensus research project offering around 30 editable information security policies.
Information Security Policies -
Set of acceptable use and technical policies from the University of Auckland covering common information security issues.
ISO 27001 Policies -
Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.
Network Security Policy -
Example security policy for a data network from the University of Toronto.
Information Security Policies -
NIST's extensive collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.
Information Security Policy -
An information security policy from the University of Illinois.
Email Policy -
A menu of clauses suitable for email acceptable use policies.
Security Policy Primer -
General advice for those new to writing information security policies.
IT Security Policy -
Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.
Modem Policy -
Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.
Information Security Policies -
Policies on information security and other topics from ePolicy Institute.
K-20 Network Acceptable Use Policy -
Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.
Network Security Policy Guide -
Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.
Audit Policy -
Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.
IP Network Security Policy -
Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
Email Retention Policy -
Sample policy to help employees determine which emails should be retained and for how long.
Internet DMZ Equipment Policy -
Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.
Information Sensitivity Policy -
Sample policy defining the assignment of sensitivity levels to information.
Password Policy -
Defines standards for creating, protecting and changing strong passwords. [MS Word]
Internet Acceptable Use Policy -
One page Acceptable Use Policy example.
Acceptable Use Policy -
Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]
Information Security Policies -
Collection of policies relating to SOX, GLBA, HIPAA and the ISO/IEC 27000-series on the HORSE (Holistic Operational Readiness Security Evaluation) wiki.
Information Security Policies -
Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.
Risk Assessment Policy -
Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]
Information Security Policies -
111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO 27001.
Personnel Security Policy -
Example policy covering pre-employment screening, security policy training etc.
Information Security Policies -
US Postal Service's information security policy manual. 264 pages of security controls, broadly similar in structure to ISO 17799.
Analog/ISDN Line Policy -
Defines policy for analog/ISDN lines used for FAXing and data connections.
Anti-Virus Policy -
Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]
Acquisition Assessment Policy -
Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]
Dial-in Access Policy -
Policy regarding the use of dial-in connections to corporate networks. [MS Word]
Ethics Policy -
Sample policy intended to 'establish a culture of openness, trust and integrity'.
Extranet Policy -
Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]
Privacy Policy -
Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.
Cryptography Policy -
Cryptographic policy template by Walt Kobus.
Communications Policy -
Datacommunications security policy template by Walt Kobus defines network security control requirements.
Physical Security Policy -
Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges.
Data Classification Policy -
Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality).
User Data Protection Policy -
Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data.
Information Data Ownership Policy -
Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems.
Resource Utilization Policy -
Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems.
Security Audit Policy -
Audit policy template by Walt Kobus.
Security Management Policy -
General information security policy template by Walt Kobus.
Router Security Policy -
Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]
Remote Access Policy -
Defines standards for connecting to a corporate network from any host. [MS Word]
IT Security Policy -
IT security policy example/how-to guide from Enterprise Ireland.
Database Password Policy -
Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]
DMZ Security Policy -
Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]
Government Security Policy -
The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]
Identification and Authentication Policy -
I&A policy template by Walt Kobus defines requirements for access control.
Certification and Accreditation Policy -
Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process.
Laboratory Security Policy -
Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]
Encryption Policy -
Defines encryption algorithms that are suitable for use within the organization. [MS Word]
Password Policy -
A password policy presented in the form of a security awareness poster. "Passwords are like underwear ..."
Telecommuting/Teleworking Policy -
Sample policy on teleworking covering employment as well as information security issues.
Information Security Policies -
Collection of information security policy samples covering PKI, antivirus, ethics, email and several other topics, from AttackPrevention.
Email Policy -
Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.
Server Security Policy -
Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.
Application Service Provider Policy -
Security criteria for an ASP.
Virtual Private Network Policy -
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
Email Forwarding Policy -
Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
Third Party Connection Agreement -
Sample agreement for establishing a connection to an external party.
Wireless Communication Policy -
Sample policy concerning the use of unsecured wireless communications technology.

Source :

1 comment:

adam said...

Hello I just entered before I have to leave to the airport, it's been very nice to meet you, if you want here is the site I told you about where I type some stuff and make good money (I work from home): here it is