Computers - Security - Policy - Sample Policies (Google Directory)

Information Security Policies - http://www.sans.org/resources/policies/
SANS consensus research project offering around 30 editable information security policies.

Electronic Communications Policy - http://www.ucop.edu/ucophome/coordrev/policy/PP081805ECP.pdf
Formal policy from the University of California covering email and other electronic communications mechanisms

Information Security Policies - http://csrc.nist.gov/fasp/jump.html
NIST's collection of well over 100 security policies and related awareness materials, mostly from US Government bodies.

HSPD-12 Privacy Policy - http://www.whitehouse.gov/omb/memoranda/fy2006/m06-06_att.doc
Sample privacy policy including Privacy Act systems of records notices, Privacy Act statements and a privacy impact assessment, designed to satisfy the requirements of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors”

University Information Security Policies - http://www.upenn.edu/computing/policy/
Electronic resource usage and security policies from the University of Pennsylvania.

Network Security Policy - http://www.utoronto.ca/security/documentation/policies/policy_5.htm
Example security policy for a data network from the University of Toronto.

Wireless Communication Policy - http://www.sans.org/resources/policies/Wireless_Communication_Policy.pdf
Sample policy concerning the use of unsecured wireless communications technology.

Audit Policy - http://www.sans.org/resources/policies/Audit_Policy.pdf
Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.

Standard Practice Guide - http://spg.umich.edu/pdf/601.07-0.pdf
Policy covering appropriate use of information resources and IT at the University of Michigan.

Internet DMZ Equipment Policy - http://www.sans.org/resources/policies/Internet_DMZ_Equipment_Policy.pdf
Sample policy defining the minimum requirement for all equipment located outside the corporate firewall.

Server Security Policy - http://www.sans.org/resources/policies/Server_Security_Policy.pdf
Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.

Email Retention Policy - http://www.sans.org/resources/policies/email_retention.doc
Sample policy to help employees determine which emails should be retained and for how long.

Ethics Policy - http://www.sans.org/resources/policies/Ethics_Policy.doc
Sample policy intended to 'establish a culture of openness, trust and integrity'.

Extranet Policy - http://www.sans.org/resources/policies/Extranet_Policy.doc
Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement. [MS Word]

Password Policy - http://www.sans.org/resources/policies/Password_Policy.doc
Defines standards for creating, protecting and changing strong passwords. [MS Word]

Information Sensitivity Policy - http://www.sans.org/resources/policies/Information_Sensitivity_Policy.pdf
Sample policy defining the assignment of sensitivity levels to information.

Database Password Policy - http://www.sans.org/resources/policies/DB_Credentials_Policy.doc
Defines requirements for securely storing and retrieving database usernames and passwords. [MS Word]

Risk Assessment Policy - http://www.sans.org/resources/policies/Risk_Assessment_Policy.doc
Defines requirements and authorizes the information security team to identify, assess and remediate risks to the organization's information infrastructure. [MS Word]

Remote Access Policy - http://www.sans.org/resources/policies/Remote_Access_Policy.doc
Defines standards for connecting to a corporate network from any host. [MS Word]

Router Security Policy - http://www.sans.org/resources/policies/Router_Security_Policy.doc
Sample policy establishing the minimum security requirements for all routers and switches connecting to production networks. [MS Word]

Dial-in Access Policy - http://www.sans.org/resources/policies/Dial-in_Access_Policy.doc
Policy regarding the use of dial-in connections to corporate networks. [MS Word]

DMZ Security Policy - http://www.sans.org/resources/policies/DMZ_Lab_Security_Policy.doc
Sample policy establishing security requirements of equipment to be deployed in the corporate De-Militarized Zone. [MS Word]

Virtual Private Network Policy - http://www.sans.org/resources/policies/Virtual_Private_Network.pdf
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.

Application Service Provider Policy - http://www.sans.org/resources/policies/Application_Service_Providers.pdf
Security criteria for an ASP.

Email Forwarding Policy - http://www.sans.org/resources/policies/Automatically_Forwarded_Email_Policy.pdf
Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.

Third Party Connection Agreement - http://www.sans.org/resources/policies/Third_Party_Agreement.pdf
Sample agreement for establishing a connection to an external party.

Security Policy Primer - http://www.sans.org/resources/policies/Policy_Primer.pdf
General advice for those new to writing information security policies.

Encryption Policy - http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.doc
Defines encryption algorithms that are suitable for use within the organization. [MS Word]

Laboratory Security Policy - http://www.sans.org/resources/policies/Internal_Lab_Security_Policy.doc
Policy to secure confidential information and technologies in the labs and protect production services and the rest of the organization from lab activities. [MS Word]

Acceptable Use Policy - http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc
Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]

Acquisition Assessment Policy - http://www.sans.org/resources/policies/Aquisition_Assessment_Policy.doc
Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]

Anti-Virus Policy - http://www.sans.org/resources/policies/Lab_Anti-Virus_Policy.doc
Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]

Analog/ISDN Line Policy - http://www.sans.org/resources/policies/Analog_Line_Policy.doc
Defines policy for analog/ISDN lines used for FAXing and data connections.

Campus Security Policy - https://security.berkeley.edu/IT.sec.policy.html
An overarching security policy from Berkeley University includes links to more specific and detailed policies.

Campus Security Policy - http://www.wustl.edu/policies/infosecurity.html
High level information security policy from Washington University.

Information Security Policies - http://www.ucisa.ac.uk/publications/ist.aspx
The Information Security Toolkit from UCISA (University Colleges and Information Systems Association) contains a suite of security policy and guidance documents reflecting and cross-referenced against BS7799, intended for use in universities. [PDF documents]

ISO/IEC 27001 Policies - http://www.27001-online.com/secpols.htm
Typical headings for a security policy aligned broadly with the ISO/IEC 27002 standard for information security management systems.

Information Security Policy - http://www.obfs.uillinois.edu/manual/central_p/sec19-5.html
An information security policy from the University of Illinois.

IT Security Policy - http://www.murdoch.edu.au/admin/policies/itsecurity/policy.html
Information technology security policy at Murdoch University, complete wth supporting standards and guidelines.

Backup Policy - http://its.uncg.edu/Policy_Manual/Computer_Backup/
Sample policy from the University of North Carolina requires daily, weekly and monthly backups (sometimes known as 'grandfather, father, son').

The ePolicy Institute - http://www.epolicyinstitute.com
Provides policies and resources on information security and other related topics.

Email Policy - http://www.its.niu.edu/its/Policies/email_pol.shtml
Northern Illinois University email policy

Password Policy - http://www.umflint.edu/its/units/initiatives/publicity/password.htm
A password policy presented in the form of a series of security awareness posters. "Passwords are like underwear ..."

ISO27k Toolkit - http://www.iso27001security.com/html/iso27k_toolkit.html
Collection of information security policies, procedures etc. aligned with the ISO/IEC 27000-series standards and provided under the Creative Commons license.

Privacy Policy - http://www.graduate.norwich.edu/privacy_policy.php
Concise policy (just 3 paragraphs) published by the School of Graduate Studies at Norwich University.

Backup Policy - http://www.comptechdoc.org/independent/security/policies/backup-policy.html
Sample policy requires a cycle of daily and weekly backups (monthly backups are also advisable).

Information Security Policy - http://www.ccrg.ox.ac.uk/datasets/policystatement.htm
High-level information security policy statement for the Childhood Cancer Research Group at Oxford University.

Information Security Policies - http://www.securitydocs.com/Security_Policies/Sample_Policies
An extensive collection of information security policy samples at SecurityDocs.

University Information Security Policies - http://security.louisville.edu/PolStds
A set of information security policies from the University of Louisville.

K-20 Network Acceptable Use Policy - http://www.k12.wa.us/K-20/AUPSchBoardNetworkUse.aspx
Policy on acceptable use of a school network, along with information for parents and an informed consent form. Developed in Washington State.

IT Security Policy - http://www.enterprise-ireland.com/ebusinesssite/guides/internal_security/internal_security_index.asp
IT security policy example/how-to guide from Enterprise Ireland.

Information Security Policy - http://www.pdfku.com/download-pdf-828.html
High level security policy/guideline from the Department of Health and Human Resources.

Telecommuting/Teleworking Policy - http://www.womans-work.com/teleworking_policy.htm
Sample policy on teleworking covering employment as well as information security issues.

IP Network Security Policy - http://www.securityfocus.com/infocus/1497
Example security policy to demonstrate policy writing techniques introduced in three earlier articles.

Network Security Policy Guide - http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf
Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.

Internet Acceptable Use Policy - http://www.ruskwig.com/docs/internet_policy.pdf
One page Acceptable Use Policy example.

Modem Policy - http://www.sandstorm.net/products/phonesweep/modempolicy.php
Sample policy from Sandstorm, designed as an addition to an existing Remote Access Policy, if one exists, or simply to stand alone.

Information Security Policies - http://www.tess-llc.com/TESS-DOR-EXAMPLES.htm
Templates for information security policies, guidelines, checklists and procedures by Walt Kobus.

Cryptography Policy - http://www.tess-llc.com/Cryptography%20PolicyV4.pdf
Cryptographic policy template by Walt Kobus.

Security Audit Policy - http://www.tess-llc.com/Security%20Audit%20PolicyV4.pdf
Audit policy template by Walt Kobus.

Security Management Policy - http://www.tess-llc.com/Security%20Mngt%20PolicyV4.pdf
General information security policy template by Walt Kobus.

User Data Protection Policy - http://www.tess-llc.com/User%20Data%20Protection%20PolicyV4.pdf
Policy template by Walt Kobus defines requirements for access controls, least privilege, integrity etc. to secure personal data.

Holistic Operational Security Readiness Evaluation - http://www.lazarusalliance.com/horsewiki/index.php/Documents
Collaborative open project building a library of sample information security policies, supporting standards and other documents through a wiki.

Information Data Ownership Policy - http://www.tess-llc.com/Information%20Data-Ownership%20PolicyV4.pdf
Policy template by Walt Kobus defines the roles and responsibilities of owners, custodians and users of information systems.

Resource Utilization Policy - http://www.tess-llc.com/Resource%20Utilization%20PolicyV4.pdf
Poilicy template by Walt Kobus defines requirements for resilience, redundancy and fault tolerance in information systems.

Data Classification Policy - http://www.tess-llc.com/Data%20Classification%20PolicyV4.pdf
Policy template by Walt Kobus describes the classification of information according to sensitivity (primarily confidentiality).

Physical Security Policy - http://www.tess-llc.com/Physical%20Security%20PolicyV4.pdf
Policy template by Walt Kobus defines requirements for physical access control to sensitive facilities and use of ID badges.

Personnel Security Policy - http://www.datasecuritypolicies.com/wp-content/uploads/2007/04/generic-personnel-security-policy.pdf
Example policy covering pre-employment screening, security policy training etc.

Privacy Policy - http://www.cbe.uidaho.edu/wegman/404/PRIVACY%20POLICY%20IVI%20Generic.htm
Generic policy for websites offering goods and services, with an important warning to seek qualified legal advice in this area.

Ethics Policy - http://www.spirent.com/about/technology.cfm?media=7&ws=324&ss=177
Ethical behavior underpins all procedural security controls. This ethics policy from Spirent is a useful model.

Information Security Policies - http://www.gcio.nsw.gov.au/documents/Information%20Security%20Guideline%20V1.1.pdf
111-page security policy manual from the Australian New South Wales Department of Commerce, based on ISO/IEC 27001.

Use of Electronic Mail - http://www.cusys.edu/~policies/General/email.html
Policy from the University of Colorado on the use of, access to, and disclosure of electronic mail.

Communications Policy - http://www.tess-llc.com/Communications%20PolicyV4.pdf
Datacommunications security policy template by Walt Kobus defines network security control requirements.

Certification and Accreditation Policy - http://www.tess-llc.com/Certification%20&%20Accreditation%20PolicyV4.pdf
Policy template by Walt Kobus defines requirements and responsibilities for security assurance throughout the system development process.

Identification and Authentication Policy - http://www.tess-llc.com/Identification%20&%20Authentication%20PolicyV4.pdf
I&A policy template by Walt Kobus defines requirements for access control.

Backup Policy - http://bizsecurity.about.com/od/securitypolices/a/backupprimer.htm
A primer to help small businesses write their own backup policies.

Law Enforcement Data Security Standards - http://www.cleds.vic.gov.au/retrievemedia.asp?Media_ID=20338
IT security policy applicable to the Victoria Police in Australia. 93 pages based on ISO/IEC 27002 and related standards.

Disaster Recovery Policy - http://www3.imperial.ac.uk/secretariat/policiesandpublications/disasterrecovery/policy/
Succinct DR policy from Imperial College, London.

Disaster Recovery Policy - http://www.templatezone.com/pdfs/Disaster-Recovery-policy.pdf
Basic DR policy in just over one side.

Government Security Policy - http://www.security.govt.nz/sigs/sigs.zip
The New Zealand Government's information security policy, based on the 2000 version of ISO/IEC 17799. [ZIP file containing PDF and MS Word versions]