Company
Security Policies
Awareness Presentations
InfoSec Department
Report an Incident
Viruses/Hoaxes
Regulations
Security News
Security Library
Security Links
This is an example using SANS security policy templates.
Security Policies Manual
Acceptable Encryption Policy � Defines requirements for encryption algorithms used within the organization.
Acceptable Use Policy - Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization�s corporate resources and proprietary information.
Analog/ISDN Line Policy - Defines standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computers.
Anti-Virus Process - Defines guidelines for effectively reducing the threat of computer viruses on the organization�s network.
Application Service Provider Policy - Defines minimum security criteria that an ASP must execute in order to be considered for use on a project by the organization.
Application Service Provider Standards - Outlines the minimum security standards for the ASP. This policy is referenced in the ASP Policy above.
Acquisition Assessment Policy - Defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the information security group.
Audit Vulnerability Scanning Policy - Defines the requirements and provides the authority for the information security team to conduct audits and risk assessments to ensure integrity of information/resources, to investigate incidents, to ensure conformance to security policies, or to monitor user/system activity where appropriate.
Automatically Forwarded Email Policy - Documents the requirement that no email will be automatically forwarded to an external destination without prior approval from the appropriate manager or director.
Database Credentials Coding Policy - Defines requirements for securely storing and retrieving database usernames and passwords.
Dial-in Access Policy - Defines appropriate dial-in access and its use by authorized personnel.
DMZ Lab Security Policy - Defines standards for all networks and equipment deployed in labs located in the "Demilitarized Zone" or external network segments.
E-mail Policy - Defines standards to prevent tarnishing the public image of the organization.
E-mail Retention - The Email Retention Policy is intended to help employees determine what information sent or received by email should be retained and for how long.
Ethics Policy - Defines the means to establish a culture of openness, trust and integrity in business practices.
Extranet Policy - Defines the requirement that third party organizations requiring access to the organization�s networks must sign a third-party connection agreement.
Information Sensitivity Policy - Defines the requirements for classifying and securing the organization�s information in a manner appropriate to its sensitivity level.
Internal Lab Security Policy - Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.
Internet DMZ Equipment Policy - Defines the standards to be met by all equipment owned and/or operated by the organization that is located outside the organization�s Internet firewalls (the demilitarized zone or DMZ)).
Lab Anti-Virus Policy - Defines requirements which must be met by all computers connected to the organization�s lab networks to ensure effective virus detection and prevention.
Password Protection Policy - Defines standards for creating, protecting, and changing strong passwords.
Remote Access Policy - Defines standards for connecting to the organization�s network from any host or network external to the organization.
Risk Assessment Policy - Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization�s information infrastructure associated with conducting business.
Router Security Policy - Defines standards for minimal security configuration for routers and switches inside a production network, or used in a production capacity.
Server Security Policy - Defines standards for minimal security configuration for servers inside the organization�s production network, or used in a production capacity.
The Third Party Network Connection Agreement - Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization�s network to the production network. This agreement must be signed by both parties.
VPN Security Policy - Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization�s network.
Wireless Communication Policy - Defines standards for wireless systems used to connect to the organization�s networks.