His policy covers the key elements required in any Authentication Policy. Here’s an excerpt:

Policy
Access to the [ORGANIZATION]’s information assets will be granted on different levels, based on the business rules established by data owner’s of that information, for an authorized user or entity to create, read, update, delete or transmit that information. Users will be provided access based on the concept of “least privilege.” Access will be managed and controlled  through discretionary access controls, identification and authentication, and audit trails.

Use of the [ORGANIZATION]’s information assets shall be restricted and shall be allowed only as necessary to support authorized business activities. The business rules currently in effect in conjunction with the [ORGANIZATION]’s user-based access controls shall be reviewed for
adequate security level access and protection, and may serve as the foundation for establishing compliance with this policy.

Any effort to circumvent the [ORGANIZATION]’s information security mechanisms to gain access or to exploit any known or unknown vulnerabilities shall be perceived as a security incident, and shall be handled in accordance with established incident reporting guidelines and/or
appropriate human resources policies and procedures.

All of the [ORGANIZATION] information is considered an asset and is protected, in all of its forms, from accidental or intentional but unauthorized, disclosure (confidentiality), modification or destruction (integrity), or the inability to process that information (availability).

Walter requires a $5 fee for using or adapting his copyrighted policy. That’s a bargain in my opinion.

Check it out!

Here’s an excerpt:

I. PURPOSE
To ensure that only authorized users have access to Auburn University computers.

II. POLICY
Auburn University computers will be configured to require authentication at startup.  When possible, authentication will be done through official domain facilities, otherwise authentication will be established on each individual machine.

Auburn University computers will be configured to have a screen lock that engages after no more than 30 minutes of inactivity and which requires re-authentication. When possible, the screen lockout will be controlled through official domain.

There’s probably more that you should include but this is a good start.