Sample Security Policies
There are a ton of great sample security policies available at the SAN Institute Security Policy Project here.
Included in the policies you can download in either Word or PDF format are:
Acceptable Encryption Policy
Defines requirements for encryption algorithms used within the organization.Acceptable Use Policy
Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization’s corporate resources and proprietary information.Analog/ISDN Line Policy
Defines standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computers.Anti-Virus Process
Defines guidelines for effectively reducing the threat of computer viruses on the organization’s network.Application Service Provider Policy
Defines minimum security criteria that an ASP must execute in order to be considered for use on a project by the organization.Application Service Provider Standards
Outlines the minimum security standards for the ASP. This policy is referenced in the ASP Policy above.Acquisition Assessment Policy
Defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the information security group.Audit Vulnerability Scanning Policy
Defines the requirements and provides the authority for the information security team to conduct audits and risk assessments to ensure integrity of information/resources, to investigate incidents, to ensure conformance to security policies, or to monitor user/system activity where appropriate.Automatically Forwarded Email Policy
Documents the requirement that no email will be automatically forwarded to an external destination without prior approval from the appropriate manager or director.Database Credentials Coding Policy
Defines requirements for securely storing and retrieving database usernames and passwords.Dial-in Access Policy
Defines appropriate dial-in access and its use by authorized personnel.DMZ Lab Security Policy
Defines standards for all networks and equipment deployed in labs located in the “Demilitarized Zone” or external network segments.E-mail Policy
Defines standards to prevent tarnishing the public image of the organization.E-mail Retention
The Email Retention Policy is intended to help employees determine what information sent or received by email should be retained and for how long.Ethics Policy
Defines the means to establish a culture of openness, trust and integrity in business practices.Extranet Policy
Defines the requirement that third party organizations requiring access to the organization’s networks must sign a third-party connection agreement.Information Sensitivity Policy
Defines the requirements for classifying and securing the organization’s information in a manner appropriate to its sensitivity level.Internal Lab Security Policy
Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.Internet DMZ Equipment Policy
Defines the standards to be met by all equipment owned and/or operated by the organization that is located outside the organization’s Internet firewalls (the demilitarized zone or DMZ)).Lab Anti-Virus Policy
Defines requirements which must be met by all computers connected to the organization’s lab networks to ensure effective virus detection and prevention.Password Protection Policy
Defines standards for creating, protecting, and changing strong passwords.Personal Communication Device
Describes Information Security’s requirements for Personal Communication Devices and Voicemail.Remote Access Policy
Defines standards for connecting to the organization’s network from any host or network external to the organization.Remote Access - Mobile Computing and Storage Devices
To establish an authorized method for controlling mobile computing and storage devices that contain or access information resources.Risk Assessment Policy
Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization’s information infrastructure associated with conducting business.Router Security Policy
Defines standards for minimal security configuration for routers and switches inside a production network, or used in a production capacity.Server Security Policy
Defines standards for minimal security configuration for servers inside the organization’s production network, or used in a production capacity.Server Malware Protection Policy
Outlines which server systems are required to have anti-virus and/or anti-spyware applications.The Third Party Network Connection Agreement
Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. This agreement must be signed by both parties.VPN Security Policy
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization’s network.Wireless Communication Policy
Defines standards for wireless systems used to connect to the organization’s networks.
Lots of great info. Check it out!