This is a sample policy from Information Security Policies Made Easy, by Charles Cresson Wood.
Reducing risk associated with a new technology often requires a combination of overlapping management and technical policies. For example, simply publishing a policy that restricts peer-to-peer networking software may not be sufficient to protect against data leakage if the organization has not defined any controls around computing environments for remote workers. Since many data leaks occur through home-based networks, protection involves a blend of policies including desktop configuration control, acceptable use and physical and environmental controls. As an example, consider this sample policy for Internet Telecommuter Working Environments.
An increased focus for both state and Federal information security laws is the monitoring of third-party vendors. Vendor security is becoming more critical with the trend toward outsourced networking services via cloud computing. One way to make sure that vendor security is not overlooked is to include these requirements as part of all third party service provider contracts. To formalize this requirement, consider this sample policy: Security Requirements in Outsourced Network Services.
Cisco has released a second set of findings from a global study on data leakage, revealing the prevalence and effectiveness of corporate security policies within companies and the reasons employees break or comply with them. The study enables information technology teams in various parts of the world to understand employee risk factors so they can effectively tailor policies that fit the reality of what their users need to do their jobs.