Information Security Policy Templates

(Source: http://www.sans.org/security-resources/policies/)
I. Audit Security Policy Templates
Audit Vulnerability Scanning Policy
Defines the requirements and provides the authority for the information security team to conduct audits
and risk assessments to ensure integrity of information/resources, to investigate incidents, to ensure
conformance to security policies, or to monitor user/system activity where appropriate.
Revised Audit Vulnerability Scan Policy (Word Doc)
Information System Audit Logging Requirements
In July 2006 SANS held its first ever Log Management Summit. One issue identified at the Summit is
that it is difficult to ensure that all information systems generate appropriate audit logs and that those
audit logs can be integrated with an enterprise's log management function.
This document attempts to address this issue by identifying specific requirements information systems
must meet in order to generate appropriate audit logs and integrate with an enterprise's log
management function.
The intention is that this language can easily be adapted for use in enterprise IT security policies and
standards, and also in enterprise procurement standards and RFP templates. In this way, organizations
can ensure that new IT systems, whether developed in-house or procured, support necessary audit
logging and log management functions.
View Information System Audit Logging Requirements (PDF)
Download Information System Audit Logging Requirements (Word Doc)

II. Computer Security Policy Templates
Acceptable Encryption Policy
Defines requirements for encryption algorithms used within the organization.
View Acceptable Encryption Policy (PDF)
Download Acceptable Encryption Policy (Word Doc)
Acceptable Use Policy
Defines acceptable use of equipment and computing services, and the appropriate employee security
measures to protect the organization's corporate resources and proprietary information.
View Acceptable Use Policy (PDF)
Download Acceptable Use Policy (Word Doc)
Application Service Provider Policy
Defines minimum security criteria that an ASP must execute in order to be considered for use on a
project by the organization.
View Application Service Provider Policy (PDF)
Download Application Service Provider Policy (Word Doc)
Application Service Provider Standards
Outlines the minimum security standards for the ASP. This policy is referenced in the ASP Policy above.
View Application Service Provider Standards (PDF)
Download Application Service Provider Standards (Word Doc)
Computer Disaster Recovery Plan Policy
Robert Comella
View Computer Disaster Recovery Plan (PDF) (46KB)
SANS Technology Institute White Paper Project
July 2009
Computer Disaster Recovery Plan - Poster
Robert Comella
View Computer Disaster Recovery Plan (PDF) (3.22MB)
SANS Technology Institute White Paper Project
July 2009
Database Credentials Coding Policy
Defines requirements for securely storing and retrieving database usernames and passwords.
View Database Credentials Coding Policy (PDF)
Download Database Credentials Coding Policy (Word Doc)
End User Encryption Key Protection Policy
Rick D. Smith
View End User Encryption Key Protection Policy (PDF) (92KB)
SANS Technology Institute White Paper Project
August 2009
End User Encryption Key Protection - Poster
Rick D. Smith
View End User Encryption Key Protection Poster (PDF) (207KB)
SANS Technology Institute White Paper Project
August 2009
Password Protection Policy
Defines standards for creating, protecting, and changing strong passwords.
View Password Protection Policy (PDF)
Download Password Protection Policy (Word Doc)
Software Installation Policy
John Brozycki
View Software Installation Policy (PDF) (16KB)
SANS Technology Institute White Paper Project
November 2007
Software Installation Policy - Poster
John Brozycki
View Software Installation Policy Poster PDF (868KB)
SANS Technology Institute White Paper Project
November 2007
Workstation Security Policy
Russell Meyer
View Workstation Security Policy (Word Doc) (52KB)
SANS Technology Institute White Paper Project
February 2008
Workstation Security - Poster
Russell Meyer
View Workstation Security Poster (Word Doc) (1.1MB)
SANS Technology Institute White Paper Project
February 2008
III. Desktop Security Policy Templates
Clean Desk - Policy
Tim Proffitt
View Clean Desk Policy (DOC) (32KB)
SANS Technology Institute White Paper Project
August 2008
Clean Desk - Poster
Tim Proffitt
View Clean Desk Poster (PDF) (376KB)
SANS Technology Institute White Paper Project
August 2008
Social Engineering Awareness: Employee Front Desk Communication and
Awareness Policy
Emilio Valente
View Social Engineering Awareness Policy (Word Doc) (123KB)
View Social Engineering Awareness Policy (PDF) (72KB)
SANS Technology Institute White Paper Project
August 2009
Social Engineering Awareness - Poster
Emilio Valente
View Social Engineering Awareness Poster (Word Doc) (175KB)
View Social Engineering Awareness Poster (PDF) (175KB)
SANS Technology Institute White Paper Project
August 2009
IV. Email Security Policy Templates
Automatically Forwarded Email Policy
Documents the requirement that no email will be automatically forwarded to an external destination without
prior approval from the appropriate manager or director.
View Automatically Forwarded Email Policy (PDF)
Download Automatically Forwarded Email Policy (Word Doc)
E-mail Policy
Defines standards to prevent tarnishing the public image of the organization.
View E-mail Policy (PDF)
Download E-mail Policy (Word Doc)
E-mail Retention Policy
The Email Retention Policy is intended to help employees determine what information sent or received by
email should be retained and for how long.
View E-mail Retention Policy (PDF)
Download E-mail Retention Policy (Word Doc)
V. HIPAA Security Policy: Health Insurance Portability and
Accountability Act
What is all the hype on HIPAA Security Policy?
HIPAA stands for Health Insurance Portability and Accountability Act.
From the HIPAA FAQ:
Passed in 1996, HIPAA is designed to protect confidential healthcare information through improved security
standards and federal privacy legislation. It defines requirements for storing patient information before,
during and after electronic transmission. It also identifies compliance guidelines for critical business tasks
such as risk analysis, awareness training, audit trail, disaster recovery plans and information access control
and encryption.
Complying with Security Standards
There are 18 information security standards in three areas that must be met to
ensure compliance with the HIPAA Security Rule.
The three areas are:
Administrative Safeguards: Documented policies and procedures for day-to-day operations; managing the
conduct of employees with electronic protected health information (EPHI); and managing the selection,
development, and use of security controls.
Physical Safeguards: Security measures meant to protect an organization's electronic information systems,
as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized
intrusion.
Technical Safeguards: Security measures that specify how to use technology to protect EPHI, particularly
controlling access to it.
VI. Internet Security Policy Templates
Anti-Virus Guidelines
Defines guidelines for effectively reducing the threat of computer viruses on the organization's network.
View Anti-Virus Guidelines (PDF)
Download Anti-Virus Guidelines (Word Doc)
Employee Internet Use Monitoring and Filtering Policy - Report
Kevin Bong
View Employee Internet Use Report (Word Doc) (121KB)
View Employee Internet Use Report (PDF) (80KB)
SANS Technology Institute White Paper Project
November 2007
Communications Equipment Security Policy
Manuel Humberto Santander Pelaez
View Communications Equipment Security Policy (Word Doc) (40KB)
SANS Technology Institute White Paper Project
July 2009
Communications Equipment Security - Poster
Manuel Humberto Santander Pelaez
View Communications Equipment Security Poster (PDF) (83KB)
SANS Technology Institute White Paper Project
July 2009
Digital Signature Acceptance Policy
Charlie Scott
View Digital Acceptance Policy (PDF) (115KB)
SANS Technology Institute White Paper Project
October 2009
Digital Signature Acceptance Policy - Slides
Charlie Scott
View Digital Signature Acceptance Policy Slides (PDF) (82KB)
SANS Technology Institute White Paper Project
October 2009
Extranet Policy
Defines the requirement that third party organizations requiring access to the organization's networks must
sign a third-party connection agreement.
View Extranet Policy (PDF)
Download Extranet Policy (Word Doc)
Internet DMZ Equipment Policy
Defines the standards to be met by all equipment owned and/or operated by the organization that is located
outside the organization's Internet firewalls (the demilitarized zone or DMZ).
View Internet DMZ Equipment Policy (PDF)
Download Internet DMZ Equipment Policy (Word Doc)
Internet Usage Policy
A Sample Internet Usage Policy for Employees
View Internet Usage Policy (PDF)
Download Internet Usage Policy (Word Doc)
Lab Anti-Virus Policy
Defines requirements which must be met by all computers connected to the organization's lab networks to
ensure effective virus detection and prevention.
View Lab Anti-Virus Policy (PDF)
Download Lab Anti-Virus Policy (Word Doc)
Not Everything is as it Seems - Poster
Brian Granier
View Project PDF (288KB)
SANS Technology Institute White Paper Project
November 2006
Remote Access Tools Policy
John Jarocki
View Remote Access Tools Policy (Word Doc) (30KB)
View Remote Access Tools Policy (PDF) (76KB)
SANS Technology Institute White Paper Project
May 2010
Remote Access Tools Policy - Slides with Notes
John Jarocki
View Remote Access Tools Slides and Notes (PPT) (200KB)
SANS Technology Institute White Paper Project
May 2010
Responsible Web Use - Poster
Kevin Bong
View Responsible Web Use Poster (PDF) (1.1MB)
View Responsible Web Use Poster (PDF) (76KB)
SANS Technology Institute White Paper Project
November 2007
VII. Mobile Security Policy Templates
Mobile Employee Endpoint Responsibility Policy
Stephen Northcutt
Mobile Employee Endpoint Responsibility Policy (Word Doc) (23KB)
Microsoft Endpoint Privacy and Security -
What Works and What Does Not (PDF) (2.75MB)
Microsoft Endpoint Privacy and Security -
What Works and What Does Not (PowerPoint) (2.5MB)
January 2010
Mobile Device Encryption Policy
Eric Conrad
View Mobile Device Encryption Policy (Word Doc) (48KB)
SANS Technology Institute White Paper Project
March 2008
Mobile Device Encryption - Lost Laptops - Poster
Eric Conrad
View Mobile Device Encryption Poster (Word Doc) (490KB)
SANS Technology Institute White Paper Project
March 2008
Remote Access, Mobile Computing and Storage Device Policy
To establish an authorized method for controlling mobile computing and storage devices that contain or
access information resources.
View Remote Access Policy (PDF)
Download Remote Access Policy (Word Doc)
VIII. Network Security Policy Templates
Analog/ISDN Line Policy
Defines standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to
computers.
View Analog/ISDN Line Policy (PDF)
Download Analog/ISDN Line Policy (Word Doc)
DMZ Lab Security Policy
Defines standards for all networks and equipment deployed in labs located in the "Demilitarized Zone" or
external network segments.
View DMZ Lab Security Policy (PDF)
DMZ Lab Security Policy (Word DOC)
Remote Access Policy
Defines standards for connecting to the organization's network from any host or network external to the
organization.
View Remote Access Policy (PDF)
Remote Access Policy (Word DOC)
Router Security Policy
Defines standards for minimal security configuration for routers and switches inside a production network, or
used in a production capacity.
View Router Security Policy (PDF)
Download Router Security Policy (Word DOC)
The Third Party Network Connection Agreement
Defines the standards and requirements, including legal requirements, needed in order to interconnect a
third party organization's network to the production network. This agreement must be signed by both parties.
View Third Party Network Connection Agreement (PDF)
Download Third Party Network Connection (Word DOC)
VPN Security Policy
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to
the organization's network.
View VPN Security Policy (PDF)
VPN Security Policy (Word DOC)
IX. Physical Security Policy Templates
Visitor and Contractor Access Policy - Policy
Rob VandenBrink
View Visitor and Contractor Access Policy (Word Doc) (42KB)
View Visitor and Contractor Access Policy (PDF) (104KB)
SANS Technology Institute White Paper Project
April 2010
Visitor and Contractor Access Policy - Poster
Rob VandenBrink
View Visitor and Contractor Access Poster (PDF) (566KB)
SANS Technology Institute White Paper Project
April 2010

X. Server Security Policy Templates
Removable Media Policy
Defines coverage of all computers and servers operating in an organization.
View Removable Media Policy (PDF)
Download Removable Media Policy (Word Doc)
Server Malware Protection Policy
Outlines which server systems are required to have anti-virus and/or anti-spyware applications.
View Server Malware Protection Policy (PDF)
Download Server Malware Protection Policy (Word Doc)
Server Security Policy
Defines standards for minimal security configuration for servers inside the organization's production network,
or used in a production capacity.
View Server Security Policy (PDF)
Server Security Policy (Word DOC)
XI. Wireless Security Policy Templates
Wireless Communication Policy
Defines standards for wireless systems used to connect to the organization's networks.
View Wireless Communication Policy (PDF)
Download Wireless Communication Policy (Word Doc)
Wireless Communication Standard
Defines standards for wireless systems used to connect to the organization's networks.
View Wireless Communication Standard (PDF)
Download Wireless Communication Standard (Word Doc)