Sample Information Security Policy Templates
ISPME comes with a complete set of information security policy templates, all in MS-Word format and mapped to our Common Policy Library (CPL).
1.0 IT Risk Management Security Policy
This sample policy defines the requirements for establishment of a risk management program, including the identification of the appropriate control posture for all computer and communications information system assets, establishing a risk-assessment methodology, conducting threat and vulnerability analysis, and reviewing a reporting to senior management.
2.0 Information Security Program Policy
This policy establishes the overall controls for the establishment and ongoing management of the information security program. This policy provides the link between the written information security policies and the rest of the program.
3.0 Information Security Organization Policy
This sample information security policy defines various information ownership roles and responsibilities, including the roles of “user” “owner” and “custodian”. It also defines the requirements for establishing and documenting an information security organization.
4.0 Audit and Compliance Assessment Policy
This policy defines the requirements for periodic audit and compliance assessment of the information security program and related information system assets.
5.0 Asset Management Policy
This policy defines the requirements for maintaining control of all information system assets, including procurement, asset inventory, asset removal and disposal.
6.0 Acceptable Use of Assets Policy
This policy defines the activities that are permissible when using any Company computer and communications systems including passwords, electronic messaging (email, IM), internet/intranet and office systems including FAX and voicemail.
7.0 Acceptable Use of Social Networking Policy
This policy defines the requirements for the secure use of social networking sites by employees and contractors from company networks.
8.0 Cloud Computing Security Policy
This policy defines the requirements for evaluating, approving and data storage on remote storage and processing (aka “cloud”) computing environments.
9.0 Mobile Computing Security Policy
This sample security policy defines the controls for secure use of mobile and portable computing devices. Topics include issuing mobile devices, configuration control, sensitive data storage, mobile device encryption, mobile access control and physical security protection.
10.0 Remote Working (Telecommuting) Security Policy
This policy defines the requirements for the secure management of remote access to company resources, including working from remote work sites (telecommuting). Topics include remote worker approval, remote working environments, access control and remote data security.
11.0 Personally Owned Devices Security Policy
This policy addresses the current controls that are required to maintain information security when using portable computing devices that are not owned by the organization. While this is widely known in the industry as Bring-Your-Own-Device (BYOD).
12.0 Information Classification Policy
This sample policy defines a four-level information classification scheme, including requirements for information labeling, declassification and ownership. The classification levels include: Public (Unclassified), Private, Confidential and Secret.
13.0 Information Exchange Policy
This policy defines the requirements for the secure exchange of information with external parties. Topics include information requests, exchange agreements, physical transit controls, encryption and electronic transit controls over networks and email.
14.0 Information Storage and Retention Policy
This policy establishes the minimum requirements for the collection, inventory, retention and disposal of sensitive information and business records. Topics include information collection, storage requirements, records management and litigation hold.
15.0 Information and Media Disposal Policy
This policy defines the requirements for proper disposal of sensitive information in both electronic and physical media. Topics include disposal requirements, equipment sanitization, reuse and resale of media, documented shredding and disposal records.
16.0 Third Party Security Management Policy
This policy defines the minimum controls for third-party access and handling of information, including security requirements in outsourced contracts. Topic areas include Third Party Risk Assessment, Security in Third Party Contracts, use of Application Service Providers (ASP), Third-Party Access control approval and monitoring, third-party privacy, security incident reporting and personnel management.
17.0 Personnel Security Management Policy
This policy defines the information security-related requirements for the hiring and ongoing management of personnel including pre-employment screening, employment agreements, roles and responsibilities, code-of-conduct, security awareness education, awareness training, and termination procedures.
18.0 Security Awareness and Training Policy
This policy defines the requirements for the development, deployment and management of information security awareness and training for all personnel. This policy provides a more detailed set of controls than those presented within the Personnel Security Management Policy.
19.0 Access Control Security Policy
This policy defines the controls for secure access to Company information and computer assets. Topics include access approval, access control systems, passwords, advanced authentication, session controls, login banners, and access review.
20.0 Account and Privilege Management Policy
This policy defines the control requirements for the secure management of user accounts on Company computer and communications systems. Topics include user authorization, default privileges, user ID construction, user ID expiration and privileged (administrator) user accounts.
21.0 Remote Access Security Policy
This sample policy defines the requirements for establishing the framework and ongoing management of the remote access infrastructure. The document includes controls that enable secure remote access by employees and business partners to company networks and services.
22.0 Network Security Management Policy
This policy defines the requirements for establishing the network controls a secure computer and communications systems network infrastructure. Topics include network access control, network segregation, traffic control, remote network access, firewalls and IDS/IPS systems and domain name management.
23.0 Firewall Security Management Policy
This policy defines the essential rules regarding the management and maintenance of firewalls (or similar networking devices such as routers or gateways) that are owned, rented, leased, or otherwise controlled by the organization. Topics include firewall rule sets, firewall maintenance, firewall configuration and firewall testing.
24.0 Wireless Network Security Policy
This security policy defines the requirements for the establishment and maintenance of secure wireless networks. Topics include Approved Wireless Devices, Technical Configuration, Training, Guest Wireless Privileges, Secure Default Configuration, Loss and Recovery, Establishing Networks, Automatic Discovery, Procurement of wireless technology, Logical and Physical Security, Testing of Wireless Networks, Network Management, Change Control and Wireless Equipment Inventory.
25.0 Physical Access Security Policy
This policy defines the requirements for establishing physical access controls at Company locations, including physical security perimeter, physical entry controls, badge management, visitor management, working in secure areas, delivery areas, and equipment security including IT data center construction.
26.0 Data Center Security Policy *
This policy defines the requirements for establishing physical access controls and environmental controls at Company data centers. Topics include environmental controls, alarms, redundant power supply, cabling security and equipment maintenance.
27.0 IT Operations Security Policy *
This policy defines the requirements for management of the information technology infrastructure, including the development of standard operating procedures, system acquisition and approval, change management and separation of duties.
28.0 System Configuration Management Policy
This policy defines the requirements for managing system configurations for information technology systems and assets. Topics include default baseline configurations, vulnerability management, and changes to production application, computer, and communications systems.
29.0 Change Management Policy
This policy defines the requirements for managing changes and change procedures to support production information systems. Topics include change control procedures, change logs, change documentation, roll-backs and change testing.
30.0 Malicious Software Management Policy
This policy defines the requirements for establishing the controls to prevent and detect the dissemination of any malicious software (virus, spyware, malware) on Company computer and communications systems.
31.0 Encryption and Key Management Policy
This policy defines the requirements for building and managing encryption algorithms and related tools within to the computer and communications systems infrastructure. Topics include encryption standards, encryption key creation, key lifecycle management, key security, key escrow, and key transport.
32.0 Application Development Security Policy
This policy defines the requirements for the secure development, testing and deployment of applications developed in-house or by third parties. Controls in this policy include requirements definition, secure coding practices, outsourced development, open-source software, source code management and testing.
33.0 Security Incident Response Policy
This policy defines the requirements for reporting and responding to incidents related to Company information systems and operations. Topics include Scope of Duties, Reporting to Internal Parties, External Reporting, Protection Of Workers Reporting Incidents, Computer Security Incident Response Team (CSIRT), Designated Incident Coordinator, Incident Related Communication, Investigations, Technical Staff guidance, Incident Reporting Communication System and electronic evidence gathering.
34.0 Data Breach Response Policy
This sample policy defines requirements for responding to an information security incident that may result in a breach of sensitive customer information. Topics include breach planning, incident analysis, third party notification, media notices and customer notices.
35.0 Backup and Recovery Policy
This policy defines the requirements for maintaining and recovering backup copies of sensitive information created, processed, or stored on Company computer and communications systems. Topics include backup schedules, backup media protection, backup testing, off-site backups and physical and environmental protection of backup media.
36.0 IT Business Continuity Policy
This policy defines the requirements for developing, testing, and maintaining information technology business continuity and recovery plans. Topics include Business Impact Assessments (BIA), system criticality ratings, BC planning organization, training, BC plan creation, BC plan dissemination, and BC plan update.
37.0 Log Management and Monitoring Policy
This policy defines the requirements for managing and monitoring the audit logs that are generated computer and communications systems. Topics include logging requirements, specific logging events, clock synchronization, log management, log monitoring and log security.
39.0 Data Privacy Program Policy
This policy defines the requirements for the establishment and documentation of a formal privacy governance program. This type of program is required by data protection laws such as GDPR. Topics covered include privacy program policies, privacy impact assessments, PII inventory, privacy management procedures.
40.0 High Level Information Security Policy
This sample information security policy covers twenty key information security topics at a detailed level within a single document. This document can be used as a draft of an organization-wide security policy.