These are examples of computer security policies. Some are policies which have been created and implemented by specific organizations, others are simply samples to provide guidance to those writing their own policies. You may like to use these as templates or donor documents for your own, subject to any copyright restrictions on the originals.
From the University of North Carolina, Greensboro. Specifies responsibilities and prohibited activities in relation to IT use.
Template policy clarifying the acceptable use of IT devices and networks. [MS Word]
A basic acceptable use policy, from the State of California Office of Information Security. [MS Word]
An example policy from a dentistry company concerning the inadvertent disclosure of personal information.
From the State of Vermont Agency of Administration. Mandates the use of antivirus software on applicable systems.
From Georgia Perimeter College. Mandates an ongoing and creative general security awareness program supplemented with more specific training where needed.
Sample policy requires a cycle of daily and weekly backups (although monthly backups are also advisable!).
From the State of Vermont Agency of Administration. Policy re blogging and microblogging (e.g. on Twitter).
An overarching security policy from Berkeley University includes links to more specific and detailed policies.
A high level information security policy from Washington University.
From the University of North Carolina, Greensboro. Covers compliance with copyright law when using information belonging to others.
From the University of North Carolina, Greensboro. Policy on protecting the organization's own intellectual property through copyright.
From the University of North Carolina, Greensboro. Deliberately simple: defines just two classification levels. Includes responsibilities.
Formalities around the development or update and publication of policies, procedures and forms. From Yale University.
From the State of Vermont Agency of Administration. Policy on disposing of IT systems and media securely, without carelessly discarding confidential data.
Basic DR policy in just over one side.
Policy concerning privacy of visitors to websites, covering logs, cookies and information volunteered.
Formal policy from the University of California covering email and other electronic communications mechanisms
Policy from the University of Colorado on the use of email and other means of electronic communication for official purposes.
From the University of North Carolina, Greensboro. Covers the retention of various data files, including those subject to litigation.
Concerns what systems can be used for electronic signatures, and under what conditions. From Yale University.
Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager.
Policy from Northern Illinois University's IT Services group. Outlines some unacceptable uses.
Security policy for the OpenSSL FIPS software object module, required for validation against FIPS (Federal Information Processing Standard) 140-2.
Corporate governance policies for Connexis, a power company
From the University of North Carolina, Greensboro. Policy on compliance with the Health Insurance Portability and Accountability Act.
From the University of North Carolina, Greensboro. Lays out controls for detecting and reacting to 'red flag' situations linked to identity theft.
From Herriot-Watt University. Clarifies the respective roles of students, faculty and administrators in reporting and dealing with information security incidents.
From the State of Vermont Agency of Administration. Policy defining the essential elements of the process for responding to security incidents.
Policies from CSPO Tools Inc., some of which are available without charge as PDF files or for an annual subscription as MS Word files, along with additional content.
SANS consensus research project offering around 30 editable information security policies.
An extensive set of ISO27k-based policies for universities from University Colleges and Information Systems Association.
High-level information security policy statement for the Childhood Cancer Research Group at Oxford University.
From the New School university in New York. Includes a set of 21 high level principles, cross-referenced to ISO/IEC 27002:2005.
From the University of North Carolina, Greensboro. Very succinct - just 5 policy goals.
From Euronet Services India. In addition to a page of information security policy statements, it lists roles and responsibilities, plus supporting policies.
Lays down the rules concerning acceptable ways of using the institution's IT facilities. From Yale University.
One page Acceptable Use Policy example.
From the State of Vermont Agency of Administration. Policy on specifying, installing and using IDS/IPS.
Example security policy to demonstrate policy writing techniques introduced in three earlier articles.
Typical headings for a security policy aligned broadly with the ISO/IEC 27002 standard for information security management systems.
Collection of information security policies, procedures etc. aligned with the ISO/IEC 27000-series standards and provided under the Creative Commons license.
From the National Health Service. [MS Word]
Succinct policy from Oregon State University requires that a competent person signs a release form before disposing of storage media from which the data have been securely erased (e.g. by 7x overwrite)
Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies.
From the University of North Carolina, Greensboro. Policy about mandatory notification of breaches involving the disclosure of personal information.
Example policy covering pre-employment screening, security policy training etc.
From the State of Vermont Agency of Administration. Covers physical access controls and the secure provision of power etc. to a computer room.
One of many many examples on the WWW, this one from the School of Graduate Studies at Norwich University.
Concerns ownership and rights over corporate IT equipment, in the University of Colorado. This policy includes an explanatory FAQ section.
Concerns the need to retain formal records associated with ongoing legal actions. From Yale University.
Covers retention of documents/information for business and compliance purposes. From Yale University
Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.
Controls to maintain the secrecy of SSNs. From Yale University.
From the University of North Carolina, Greensboro. Specifies security controls to protect SSNs.
Policy covering appropriate use of information resources and IT at the University of Michigan.
Sample policy on teleworking covering employment as well as information security issues.
From the University of North Carolina, Greensboro. Covers health and safety and employment issues as well as IT security aspects of home working.
From the State of Vermont Agency of Administration. Connections require business cases, audits etc.
Electronic resource usage and security policies from the University of Pennsylvania.
A set of information security policies from the University of Louisville.
By Euronext N.V. Requires employees to report serious noncompliance incidents, offering whistleblowers protection against disadvantage.
Concerns the use of wireless networking devices.
From the University of North Carolina, Greensboro. Prohibits wireless devices that may interfere with authorized wireless systems.
Thanks to DMOZ, which built a great web directory for nearly two decades and freely shared it with the web. About us