-
Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]
-
Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]
-
Defines policy for analog/ISDN lines used for FAXing and data connections.
-
Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]
-
Security criteria for an ASP.
-
Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.
-
A menu of clauses suitable for email acceptable use policies.
-
Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]
-
Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]
-
Policy regarding the use of dial-in connections to corporate networks. [MS Word]
-
Succinct DR policy from Imperial College, London.
-
Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
-
Sample policy to help employees determine which emails should be retained and for how long.
-
Defines encryption algorithms that are suitable for use within the organization. [MS Word]
-
Sample policy intended to 'establish a culture of openness, trust and integrity'.
-
Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]
-
The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]
-
Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”
-
Collaborative open project building a library of sample information security policies, supporting standards and other documents through a wiki.
-
Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
-
Typical headings for a security policy aligned broadly with the ISO/IEC standard for information security management systems.
-
IT security policy example/how-to guide from Enterprise Ireland.
-
The Information Security Toolkit from UCISA (University Colleges and Information Systems Association) contains a suite of security policy and guidance documents reflecting and cross-referenced against BS7799. [PDF documents]
-
High-level information security policy statement for the Childhood Cancer Research Group at Oxford University.
-
Sample policy defining the assignment of sensitivity levels to information.
-
Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.
-
Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.
-
Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]
-
Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.
-
Example security policy for a data network from the University of Toronto.
-
Defines standards for creating, protecting and changing strong passwords. [MS Word]
-
Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.
-
Defines standards for connecting to a corporate network from any host. [MS Word]
-
Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]
-
Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]
-
Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.
-
Sample policy on teleworking covering employment as well as information security issues.
-
Sample agreement for establishing a connection to an external party.
-
A set of information security policies from the University of Louisville.
-
Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.
-
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
-
Sample policy concerning the use of unsecured wireless communications technology.
