Directory of Sample Policies Resources

Home > Computers > Security > Policy > Sample Policies

These are examples of computer security policies. Some are policies which have been created and implemented by specific organizations, others are simply samples to provide guidance to those writing their own policies. You may like to use these as templates or donor documents for your own, subject to any copyright restrictions on the originals.

Resources in This Category

• Acceptable Use of Computing and Electronic Resources Policy

  http://policy.uncg.edu/acceptable_use/
  From the University of North Carolina, Greensboro. Specifies responsibilities and prohibited activities in relation to IT use.

• Acceptable Use Policy

  http://www.first.org/_assets/resources/guides/aup_generic.doc
  Template policy clarifying the acceptable use of IT devices and networks. [MS Word]

• Acceptable Use Policy Template

  http://www.cio.ca.gov/OIS/Government/library/documents/ACCEPTABLEUSEPOLICYTEMPLATE.doc
  A basic acceptable use policy, from the State of California Office of Information Security. [MS Word]

• Accidental Disclosure of Confidential Information Policy

  http://www.distinctivedentistry.co.uk/pdf/accidental-disclosure-2016.pdf
  An example policy from a dentistry company concerning the inadvertent disclosure of personal information.

• Antivirus Policy

  http://dii.vermont.gov/sites/dii/files/pdfs/Malicious-Software-Protection.pdf
  From the State of Vermont Agency of Administration. Mandates the use of antivirus software on applicable systems.

• Awareness and Training Policy

  http://depts.gpc.edu/governance/policies/New600/609.pdf
  From Georgia Perimeter College. Mandates an ongoing and creative general security awareness program supplemented with more specific training where needed.

• Backup Policy

  http://www.comptechdoc.org/independent/security/policies/backup-policy.html
  Sample policy requires a cycle of daily and weekly backups (although monthly backups are also advisable!).

• Blogging Policy

  http://dii.vermont.gov/sites/dii/files/PDF/Policies_Reports/DII-Blogging_Policy.pdf
  From the State of Vermont Agency of Administration. Policy re blogging and microblogging (e.g. on Twitter).

• Campus Security Policy

  https://security.berkeley.edu/IT.sec.policy.html
  An overarching security policy from Berkeley University includes links to more specific and detailed policies.

• Campus Security Policy

  http://www.wustl.edu/policies/infosecurity.html
  A high level information security policy from Washington University.

• Copyright Compliance Policy

  http://policy.uncg.edu/copyright_compliance/
  From the University of North Carolina, Greensboro. Covers compliance with copyright law when using information belonging to others.

• Copyright Ownership and Use Policy

  http://policy.uncg.edu/copyright/
  From the University of North Carolina, Greensboro. Policy on protecting the organization's own intellectual property through copyright.

• Data Classification Policy

  http://policy.uncg.edu/data/
  From the University of North Carolina, Greensboro. Deliberately simple: defines just two classification levels. Includes responsibilities.

• Development or Revision and Posting of Policies, Procedures and Forms Policy

  http://policy.yale.edu/policy/1503-development-or-revision-and-posting-university-policies-procedures-and-forms
  Formalities around the development or update and publication of policies, procedures and forms. From Yale University.

• Digital Media and Hardware Disposal Policy

  http://dii.vermont.gov/sites/dii/files/PDF/Support/Digital-Media-and-Hardware-Disposal-Policy.pdf
  From the State of Vermont Agency of Administration. Policy on disposing of IT systems and media securely, without carelessly discarding confidential data.

• Disaster Recovery Policy

  http://www.templatezone.com/pdfs/Disaster-Recovery-policy.pdf
  Basic DR policy in just over one side.

• eCommerce Privacy Policy

  http://www.uidaho.edu/its/ecommerce/ecommerceprivacypolicy
  Policy concerning privacy of visitors to websites, covering logs, cookies and information volunteered.

• Electronic Communications Policy

  http://policy.ucop.edu/doc/7000470/ElectronicCommunications
  Formal policy from the University of California covering email and other electronic communications mechanisms

• Electronic Communications Policy

  https://www.cu.edu/sites/default/files/6002.pdf
  Policy from the University of Colorado on the use of email and other means of electronic communication for official purposes.

• Electronic Records Retention Policy

  http://policy.uncg.edu/electronic_records/
  From the University of North Carolina, Greensboro. Covers the retention of various data files, including those subject to litigation.

• Electronic Signatures and Records Policy

  http://policy.yale.edu/policy/1613-electronic-signatures-and-records
  Concerns what systems can be used for electronic signatures, and under what conditions. From Yale University.

• Email Forwarding Policy

  https://www.sans.org/security-resources/policies/retired/pdf/automatically-forwarded-email-policy
  Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.

• Email Policy

  http://doit.niu.edu/doit/policies_root/email.shtml
  Policy from Northern Illinois University's IT Services group. Outlines some unacceptable uses.

• FIPS 140-2 Security Policy

  http://openssl.org/docs/fips/SecurityPolicy-1.1.1.pdf
  Security policy for the OpenSSL FIPS software object module, required for validation against FIPS (Federal Information Processing Standard) 140-2.

• Governance Policies Handbook

  http://www.connexis.org.nz/docs/default-source/about-us/governance-policies-handbook.pdf
  Corporate governance policies for Connexis, a power company

• HIPAA Compliance Policy

  http://policy.uncg.edu/hipaa/
  From the University of North Carolina, Greensboro. Policy on compliance with the Health Insurance Portability and Accountability Act.

• Identity Theft Prevention Program Policy

  http://policy.uncg.edu/identity_theft_prevention/
  From the University of North Carolina, Greensboro. Lays out controls for detecting and reacting to 'red flag' situations linked to identity theft.

• Incident Management Policy

  http://www.hw.ac.uk/documents/information-security-incident-management.pdf
  From Herriot-Watt University. Clarifies the respective roles of students, faculty and administrators in reporting and dealing with information security incidents.

• Incident Response Policy

  http://dii.vermont.gov/sites/dii/files/pdfs/Incident-Response-Policy.pdf
  From the State of Vermont Agency of Administration. Policy defining the essential elements of the process for responding to security incidents.

• Information Security Policies

  http://www.cspotools.com/
  Policies from CSPO Tools Inc., some of which are available without charge as PDF files or for an annual subscription as MS Word files, along with additional content.

• Information Security Policies

  http://www.sans.org/security-resources/policies/
  SANS consensus research project offering around 30 editable information security policies.

• Information Security Policies

  http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTEd3%20pdf
  An extensive set of ISO27k-based policies for universities from University Colleges and Information Systems Association.

• Information Security Policy

  http://www.ccrg.ox.ac.uk/datasets/policystatement.shtml
  High-level information security policy statement for the Childhood Cancer Research Group at Oxford University.

• Information Security Policy

  http://www.newschool.edu/informationtechnology/information-security-policy.pdf
  From the New School university in New York. Includes a set of 21 high level principles, cross-referenced to ISO/IEC 27002:2005.

• Information Security Policy

  http://policy.uncg.edu/information_security/
  From the University of North Carolina, Greensboro. Very succinct - just 5 policy goals.

• Information Security Policy

  http://www.cashnetindia.com/cashnet/website/Main/pdf/Euronet-Information-Security-Policy_V3_4.pdf
  From Euronet Services India. In addition to a page of information security policy statements, it lists roles and responsibilities, plus supporting policies.

• Information Technology Appropriate Use Policy

  http://policy.yale.edu/policy/1607-information-technology-appropriate-use-policy
  Lays down the rules concerning acceptable ways of using the institution's IT facilities. From Yale University.

• Internet Acceptable Use Policy

  http://www.ruskwig.com/docs/internet_policy.pdf
  One page Acceptable Use Policy example.

• Intrusion Detection and Prevention Policy

  http://dii.vermont.gov/sites/dii/files/pdfs/Intrusion-Detection-and-Prevention-Policy.pdf
  From the State of Vermont Agency of Administration. Policy on specifying, installing and using IDS/IPS.

• IP Network Security Policy

  http://www.symantec.com/connect/articles/introduction-security-policies-part-four-sample-policy
  Example security policy to demonstrate policy writing techniques introduced in three earlier articles.

• ISO/IEC 27001 Policies

  http://www.27001-online.com/secpols.htm
  Typical headings for a security policy aligned broadly with the ISO/IEC 27002 standard for information security management systems.

• ISO27k Toolkit

  http://www.iso27001security.com/html/toolkit.html
  Collection of information security policies, procedures etc. aligned with the ISO/IEC 27000-series standards and provided under the Creative Commons license.

• Laptop Security Policy

  https://www.igt.hscic.gov.uk/WhatsNewDocuments/Exemplar%20Laptop%20Security%20Policy.doc
  From the National Health Service. [MS Word]

• Media disposal policy

  http://fa.oregonstate.edu/files/surplus/osu_policy_disposal_data_storage_equip_v.0314.pdf
  Succinct policy from Oregon State University requires that a competent person signs a release form before disposing of storage media from which the data have been securely erased (e.g. by 7x overwrite)

• Network Security Policy Guide

  http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf
  Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.

• Personal Information Security Breach Notification Policy

  http://policy.uncg.edu/security_breach_notification/
  From the University of North Carolina, Greensboro. Policy about mandatory notification of breaches involving the disclosure of personal information.

• Personnel Security Policy

  http://www.datasecuritypolicies.com/wp-content/uploads/2007/04/generic-personnel-security-policy.pdf
  Example policy covering pre-employment screening, security policy training etc.

• Physical Security for Computer Protection Policy

  http://dii.vermont.gov/sites/dii/files/pdfs/Physical-Security-for-Computer-Protection.pdf
  From the State of Vermont Agency of Administration. Covers physical access controls and the secure provision of power etc. to a computer room.

• Privacy Policy

  http://online.norwich.edu/about-us/privacy-policy
  One of many many examples on the WWW, this one from the School of Graduate Studies at Norwich University.

• Privacy Policy

  https://www.google.co.nz/intl/en/policies/privacy
  Google's privacy policy is clearly written.

• Providing and Using Information Technology Policy

  https://www.cu.edu/ope/efficiency-and-effectiveness/presidents-task-force-efficiency/aps-6001-providing-and-using
  Concerns ownership and rights over corporate IT equipment, in the University of Colorado. This policy includes an explanatory FAQ section.

• Records Preservation Policy

  http://policy.yale.edu/policy/1106-preserving-records-legal-purposes
  Concerns the need to retain formal records associated with ongoing legal actions. From Yale University.

• Retention Policy

  http://policy.yale.edu/policy/1105-retention-university-financial-records
  Covers retention of documents/information for business and compliance purposes. From Yale University

• Server Security Policy

  https://www.sans.org/security-resources/policies/server-security/pdf/server-security-policy
  Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.

• Social Security Numbers Confidentiality Policy

  http://policy.yale.edu/policy/1602-protecting-security-and-confidentiality-social-security-numbers
  Controls to maintain the secrecy of SSNs. From Yale University.

• Social Security Numbers Policy

  http://policy.uncg.edu/ssn/
  From the University of North Carolina, Greensboro. Specifies security controls to protect SSNs.

• Standard Practice Guide

  http://spg.umich.edu/policy/601.07
  Policy covering appropriate use of information resources and IT at the University of Michigan.

• Telecommuting/Teleworking Policy

  http://www.womans-work.com/teleworking_policy.htm
  Sample policy on teleworking covering employment as well as information security issues.

• Teleworking Policy

  http://policy.uncg.edu/university-policies/teleworking/
  From the University of North Carolina, Greensboro. Covers health and safety and employment issues as well as IT security aspects of home working.

• Third Party Connectivity Policy

  http://dii.vermont.gov/sites/dii/files/pdfs/Third-Party-Network-Connectivity.pdf
  From the State of Vermont Agency of Administration. Connections require business cases, audits etc.

• University Information Security Policies

  http://www.upenn.edu/computing/policy/
  Electronic resource usage and security policies from the University of Pennsylvania.

• University Information Security Policies

  http://security.louisville.edu/PolStds
  A set of information security policies from the University of Louisville.

• Whistleblower policy

  https://www.euronext.com/sites/www.euronext.com/files/euronext_nv_whistleblower_policy_20140620.pdf
  By Euronext N.V. Requires employees to report serious noncompliance incidents, offering whistleblowers protection against disadvantage.

• Wireless Communication Policy

  https://www.sans.org/security-resources/policies/network-security/pdf/wireless-communication-policy
  Concerns the use of wireless networking devices.

• Wireless Communications Policy

  http://policy.uncg.edu/wireless/
  From the University of North Carolina, Greensboro. Prohibits wireless devices that may interfere with authorized wireless systems.

Related Categories

• Home > Computers > Security > FAQs, Help, and Tutorials

 

Home > Computers > Security > Policy > Sample Policies

 

---

 

Thanks to DMOZ, which built a great web directory for nearly two decades and freely shared it with the web. About us