I wrote a generic Personnel Security Policy which is attached below.

Sections of this policy include:

• Requirement to Protect Corporate Assets
• Information Security Responsibilities in Employee Handbook & Contracts
• Information Security Training
• Background Checks
• Bonding
• Conflict of Interest
• Non-Disclosure Agreements
• Security Incidents

Here’s an excerpt:

Include information security responsibilities in company rules and worker’s contracts.

• Information security responsibilities to be followed by all employees must be incorporated into Organization XYZ’s employee handbook.
• All employees must acknowledge in writing (electronic acknowledgement is acceptable) that they have read and understood Organization XYZ’s employee handbook.
• Specific information security responsibilities must be incorporated into all contracts with contractors (including consultants or any non-employee who performs work for hire) who have access to restricted, customer or otherwise sensitive information.

You can download a copy of the policy here: Personnel Security Policy

Let me know if you have any suggestions!