Information Security Policies Made Easy

$795.00

Information Security Policies Made Easy is the “gold standard” information security policy template library, with over 1500 pre-written information security policies covering over 200 security topics. Based on the 25 year consulting experience of Charles Cresson Wood, CISSP, CISA, it is the most widely used policy library in the world, with over 10,000 customers in 60 countries. Take the work out of creating, writing, and implementing security policies.

Description

Information Security Policies Made Easy has everything you need to build a robust security policy program, including:

Thirty-eight (38) essential sample information security policy documents:

  • Complete coverage of essential security topics including: Access Control Policy, Network Security Policy, Personnel Security, Information Classification, Physical Security, Acceptable Use of Assets, and many more.
  • All samples policies in our MS-Word Best Practices Policy Template. Customized in minutes!

Complete 1500+ information security policy statement library

  • 1500 individual pre-written security policies covering of the latest technical, legal and regulatory issues
  • ISO 17799:2005 (ISO 27002) outline format, allowing for easy gap-analysis against existing standards and security frameworks
  • Expert commentary discussing the risks mitigated by each policy
  • Target audience (management, technical, or user) and security environment (low, medium, high) for each policy
  • Policy coverage maps for PCI-DSS, NIST, ISO 27002, FFIEC and HIPAA-HiTECH security

Expert information security policy development advice and tools

  • A step-by-step checklist of security policy development tasks to quickly start a policy development project
  • Helpful tips and tricks for getting management buy-in for information security policies and education
  • Tips and techniques for raising security policy awareness
  • Real-world examples of problems caused by missing or poor information security policies
  • Essential policy compliance forms such as Risk acceptance memo, incident Reporting Form and Security Policy Compliance Agreement.

Comprehensive Information Security Policy Coverage

Information Security Policies Made Easy covers over 200 essential information security topics including:

  • Access Control
  • Acceptable Use
  • Application Development
  • Biometrics
  • Computer emergency response teams
  • Computer viruses
  • Contingency planning
  • Corporate Governance
  • Data Classification and Labeling
  • Data Destruction
  • Digital signatures
  • Economic Espionage
  • Electronic commerce
  • Electronic mail
  • Employee surveillance
  • Encryption
  • Firewalls
  • FAX communications
  • Incident Response
  • Identity Theft
  • Information Ownership
  • Information Security Related Terrorism
  • Internet
  • Local area networks
  • Intranets
  • Logging controls
  • Microcomputers
  • Mobile Devices
  • Network Security
  • Outsourcing security functions
  • Password Management
  • Personnel Screening and Security
  • Portable computers (PDA, Laptops)
  • Physical Security
  • Privacy issues
  • Security Roles and Responsibilities
  • Social Engineering (including “phishing”)
  • SPAM Prevention
  • Telecommuting
  • Telephone systems
  • Third Party Access
  • User security training
  • Web Site Security
  • Wireless Security
  • Voice Over IP (VOIP)
  • And many more!

Information Security Policies Made Easy, Version 13 is available for electronic download. Each product contains a print-ready PDF, MS-Word templates and an organization-wide license to republish the materials. (No physical CD or book).

SEE ALSO: Information Security Roles and Responsibilities Made Easy (version 3): Includes time-saving tools and practical, step-by-step instructions on how to develop and document specific information security responsibilities for over 40 different key organizational roles.

Click HERE for special pricing for both products purchased together!

 

Comprehensive Information Security Policy Coverage

Information Security Policies Made Easy covers over 200 essential information security topics including:

  • Access Control
  • Acceptable Use
  • Application Development
  • Biometrics
  • Computer emergency response teams
  • Computer viruses
  • Contingency planning
  • Corporate Governance
  • Data Classification and Labeling
  • Data Destruction
  • Digital signatures
  • Economic Espionage
  • Electronic commerce
  • Electronic mail
  • Employee surveillance
  • Encryption
  • Firewalls
  • FAX communications
  • Incident Response
  • Identity Theft
  • Information Ownership
  • Information Security Related Terrorism
  • Internet
  • Local area networks
  • Intranets
  • Logging controls
  • Microcomputers
  • Mobile Devices
  • Network Security
  • Outsourcing security functions
  • Password Management
  • Personnel Screening and Security
  • Portable computers (PDA, Laptops)
  • Physical Security
  • Privacy issues
  • Security Roles and Responsibilities
  • Social Engineering (including “phishing”)
  • SPAM Prevention
  • Telecommuting
  • Telephone systems
  • Third Party Access
  • User security training
  • Web Site Security
  • Wireless Security
  • Voice Over IP (VOIP)
  • And many more!

Information Security Policies Made Easy, Version 13 is available for electronic download. Each product contains a print-ready PDF, MS-Word templates and an organization-wide license to republish the materials.

 

Information Security Policy – Product Contents

Information Security Policies Made Easy has all of the templates and tools you need to develop information security policies quickly and effectively.

How to Develop Information Security Policies

Expert help by Charles Cresson Wood on how to develop information security policies that really work in your organization. Topics include:

Defining Information Security Policies
Importance of Security Policies
Considerations In The Policy Development Process
Policy Development Time Line
Policy Document Length
Policy Usage
Policy Objectives And Scope

Information Security Policy Statement Library

The complete library contains over 1500 information security policy statements with expert commentary on the following information security topics within the Common Policy Library (CPL).

  1. IT Risk Management

1.1. Risk Management Program

  1. Security Policies & Procedures

2.1. Security Policy and Procedure Development

2.2. Security Policy Management

  1. Security Program Management

3.1. Security Program Governance

3.2. Information Security Organization

3.3. Security Compliance Evaluation

  1. Asset Management

4.1. Asset Procurement

4.2. Asset Inventory

4.3. Asset Accountability

4.3.1. Asset Classification

4.3.2. Asset Ownership Assignment

4.4. Asset Protection

4.4.1. Asset Assignment

4.4.2. Configuration Control

4.4.3. Asset Management

4.5. Acceptable Use of Assets

4.6. Asset Removal and Transfer

4.7. Asset Disposal

4.8. Mobile Computing

  1. Information Management

5.1. Information Collection

5.2. Information Classification

5.3. Information Exchange and Transit

5.4. Information Storage and Retention

5.5. Information Disposal

  1. Third Party Management

6.1. Third Party Risk Management

6.2. Third Party Contracts

6.3. Third Party Service Delivery

  1. Personnel Security

7.1. Personnel Security Management

7.2. Security Awareness and Training *

  1. Access Control

8.1. Access Control Systems

8.2. User Access Management

8.3. User Account Management

8.4. Remote Access and Mobile Computing

  1. Network Security

9.1. Intrusion Protection

9.2. Network Controls

9.3. Wireless Networks

  1. Physical & Environmental Security

10.1 Physical Security Planning

10.1. Site Security

10.2. Processing Facilities Security

10.3. Office and Facility Security

  1. Operations Management

11.1. Security Operations Management

11.2. System Planning

11.3. Systems Management

11.4. Change Management

11.5. Malicious Software

11.6. Encryption and Key Management

  1. Application Security Management

12.1. Application Development Security

12.2. Transaction Controls

12.3. Web Site Security

  1. Incident Detection & Management

13.1. Security Incident Planning

13.2. Security Incident Response

13.3. Data Breach Management

  1. IT Business Continuity and Contingency Planning

14.1. Information Backup

14.2. IT Business Continuity Governance

14.3. Business Continuity Planning

  1. Security Monitoring and Audit

15.1. Information Security Logs

15.2. System Monitoring and Audit

  1. Data Privacy and Personal Information

16.1. Employee Privacy

16.2. Customer Privacy

16.3. Identity Theft Prevention

16.4. Privacy Governance

 

Sample Information Security Policy Documents

All the security topics you need! ISPME contains each of the following complete security policy documents in MS-Word format and organized in our best-practices security policy template. Easily to customize and use.

00 -Sample High-Level Information Security Policy

1.0 Sample IT Risk Management Security Policy

2.0 Sample Information Security Program Policy

3.0 Sample Information Security Organization Policy

4.0 Sample Audit and Compliance Assessment Policy

5.0 Sample Asset Management Policy

6.0 Sample Acceptable Use of Assets Policy

7.0 Sample Acceptable Use of Social Networking Policy

8.0 Sample Cloud Computing Security Policy

9.0 Sample Mobile Computing Security Policy

10.0 Sample Remote Working (Telecommuting) Security Policy

11.0 Sample Personally Owned Devices (BYOD) Security Policy

12.0 Sample Information Classification Policy

  1. Sample Information Exchange Policy
  2. Sample Information Storage and Retention Policy
  3. Sample Information and Media Disposal Policy
  4. Sample Third Party Security Management Policy
  5. Sample Personnel Security Management Policy
  6. Sample Security Awareness and Training Policy
  7. Sample Access Control Security Policy
  8. Sample Account and Privilege Management Policy
  9. Sample Remote Access Security Policy
  10. Sample Network Security Management Policy
  11. Sample Firewall Security Policy
  12. Sample Wireless Network Security Policy
  13. Sample Physical Security Policy
  14. Sample System Configuration Management Policy
  15. Sample Change Management Policy
  16. Sample Malicious Software Management Policy
  17. Sample Encryption and Key Management Policy
  18. Sample Application Development Security Policy
  19. Sample Security Incident Response Policy
  20. Sample Data Breach Response Policy
  21. Sample Backup and Recovery Policy
  22. Sample IT Business Continuity Policy
  23. Sample Log Management and Monitoring Policy
  24. Customer Data Privacy Policy
  25. Sample Best Practices Information Security Policy Template

 

Sample Security Policy Compliance Documents

In addition to sample policy documents, the following forms and agreements help you implement your information security program.

Information Security Policy Compliance Agreement
Management Risk Acceptance Memo
Two-Page Simple Non-Disclosure Agreement
Sample Data Classification Quick Reference Table
Sample Identity Token Responsibility Statement
Sample Employment Termination Procedure
Sample Security Incident Reporting Form

Sample Information Security Policy Glossary

Information Security Policy Development Resources

Policy Development Plan Checklist (Appendix D)
Suggested Next Steps after Policy Development (Appendix E)

List Of Suggested Awareness-Raising Methods (Appendix F)
Regulatory Requirements for Information Security Policies (Appendix G)

Using This Guide for Regulatory Requirements
Using this guide for PCI-DSS.
Using this guide for HIPAA/HiTECH Security Requirements
Using this guide for Sarbanes-Oxley Requirements
Using this guide for NIST (FISMA) Security Requirements

Index Of New Information Security Policies
About the Author

Most Recommended by Security Pros!

Information Security Policies Made Easy is recommended by your peers, including top information security and data privacy experts. Here are a few of them:

“If I could have only six books in my professional library, this would be one of them.”
Dr. Harold Highland
Editor, Emeritus of Computers & Security Magazine

“Information Security Policies Made Easy (ISPME) is one of the most important information security books available for those who are serious about creating a comprehensive set of information systems security policies. Given the dynamic nature of technology, very few technology books can stand the test of time and remain relevant for a few years, let alone a decade after their original printing.”
Ben Rothke CISSP, CISM
Director – Security Technology Implementation, AXA Technology Services

“The [ISPME] guidelines have saved three months of manual effort that would have been required to research and write policies.”
Douglas Feil
EDP Audit Manager, City & County of San Francisco,
Network Management Systems & Strategies

“It gave us everything we needed to help us write standards and communicate [policies] in a clear, concise manner with no ambiguity or technical jargon … the book paid for itself in two weeks.”
Jonah Goldsmith
Data Security Consultant to Large Medical Insurance Company, LAN Times

“If you are an auditor, business security or InfoSec specialist, part of corporate management or other business professional, and want to be sure you have a strong foundation for your InfoSec program, you must get and use this book. This book contains not only policies but also a guideline on how to use the policies; provides matrices that make it easier to understand how they all fit together; and many useful appendices. Some may say that this book is too expensive and one can find cheaper books of InfoSec policies. If you go cheap you get cheap. Can you afford to do that when mistakes can be costly and when the protection of your company’s information and competitive edge may be at stake? Buy this book, use it and start building a comprehensive InfoSec program for your company.”
Dr. Gerald L. Kovacich
ShockwaveWriters.Com

“Information Security Policies Made Easy is an indispensable tool for anyone who needs to develop a HIPAA security policy. Those who are familiar with the hardbound version of the classic work by Charles Cresson Woods will be amazed by this interactive format. Navigation aids such as the ‘find’ command allowed me to cut my development time considerably.”
Harry E. Smith, CISSP, Co-Founder
PrivaPlan Associates, Inc.

“This is the gold standard Policy reference for any serious security practitioner to have in their arsenal of tools, a must have! The instructions and examples for establishing security polices and implementation processes add real value to this edition.”
John B. Kramer, CISSP, CISA
Information Security Manager – UPMCHS

“Wood has created a complete kit of proven best practices that any organization can use and customize to make policies meeting their exact needs.”
Jay Heiser
Columnist, Information Security Magazine.

“In 1993, I was asked to develop my first information security policy. I began by cutting and pasting a series of thoughts and calling that a policy. Usually these policies were rejected by management. To ensure that my organization had strong Information Security policies in place, I purchased a copy of Information Security Policies Made Easy. Quickly I learned that creating a policy was a process that included writing policies, editing policies, obtaining management approval, communicating policies, and implementing controls to meet the policy requirements. The book provides the reader with the tools necessary to develop policies, including an easy to use CD (fully-linked and searchable).”
Diana-Lynn Contesti, CISSP, SSCP
Information Security Officer – Dofasco Inc.

“Charles Cresson Wood…is an expert’s expert, and knows more about computer security policies than anyone I know.”
Michael Alexander
Editor, Datamation

“This book is invaluable to those responsible for creating or maintaining an information security policy manual or similar documents.”
Belden Menkus
Editor, EDPACS

About Charles Cresson Wood

About Charles Cresson Wood

Recipient of Computer Security Institute’s Lifetime Achievement Award

Charles Cresson Wood, CISSP, CISM, CISA is an author, researcher, and management consultant based in Mendocino, California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.

He has published over 375 technical articles and six books in the information security field. In addition to various TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe.

For over 10 years, Mr. Wood was a Senior North American Editor for the Elsevier academic research journal called “Computers &Security” and the practitioner’s newsletter entitled “Computer Fraud & Security Bulletin.” For over 17 years, for the Computer Security Institute, he wrote a monthly column about information security policies for the newsletter entitled “Computer Security Alert.” He as also been an information security strategy columnist for the global technology media company called TechTarget.

He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has also passed the Certified Public Accountant (CPA) examination. He is a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.” Mr Wood is currently attending St. Francis School of Law, on a part-time basis, and when he graduates and passes the California bar exam, he intends to specialize in intellectual property protection and privacy matters.

Here is a sampling of the over 375 security related articles by Charles Cresson Wood:


“Researchers Must Disclose All Sponsors And Potential Conflicts,”
Computer Security Alert, No. 197, March 2000; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.220]
“Integrated Approach Includes Information Security,”
Security, pp. 43-44,February 2000; Publisher: Cahners, Des Plains, IL. [pub. no.219]

“Get Data Safety Policies In Place,” American Banker, 11 February 2000, p. 7;Publisher: American Banker, New York, NY.[pub. no. 218]
“All Internet Personal Data Gathering Techniques Must Be Disclosed,”
Computer Security Alert, No. 196,
February 2000; Publisher: Computer SecurityInstitute, San Francisco, CA. [pub.no. 217]

“The Information Security Profession: Evolutionary Career Paths,” Information Security, November 1999;Publisher: published by ICSA.net, Norwood, MA. [pub. no. 214]

“Disclosures Of Private Information Without Data Subject Consent,” Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.212]

“Termination Of Outsourcing Contracts For Security Violations,” Computer Security Alert, No. 191, September 1999; Publisher:Computer Security Institute, San Francisco, CA. [pub. no. 210]

“Top Ten Impediments To Implementing An Information Security Policy,” Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story). [pub. no.209]
“A Functional Comparison Of Tandem Data Replication Software Packages,”
an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino,CA. [pub. no. 207]

“Subjects Given Opportunity To Block Private Information Disclosures,”Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 205]

“Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information,” Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute,
San Francisco, CA. [pub. no.202]

“All Systems Access Privileges Cease When Workers Terminate,” Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.202]

“Non-Compliance And Disciplinary Action,” Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 198]

“Convenience Versus Multi-Factor User Authentication,” Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.196]

“Twelve New Vulnerabilities Introduced by Internet Commerce,” Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no.195]

“All Telephone Transactions Require Positive Caller Identification,” Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute,San Francisco, CA. [pub. no.193]

“TheTruth About Masquerading and Spoofing,” Network Magazine, February 1998; Publisher: Miller Freeman,San Francisco, CA. [pub. no.183]

 

“Unauthorized Information Disclosure and Loss of Stock Options,” Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.185]

“Managing Perceptions About Internet Electronic Commerce Security,” Computer Security, Audit & Control, February 1997; Publisher: Management Advisory Services Publications, Wellesley Hills,MA. [pub. no. 165]

“Information Security: Are We Winning the Game?” Computer Fraud &Security Bulletin, January 1997;
Publisher: Elsevier Science Technology,Oxford, England. [pub. no.162]

“Encryption for Files Left on Anonymous FTP Servers,” Computer SecurityAlert, No. 163, October 1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.159]

“Encryption Systems Must Include Key Escrow,” Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 152]

“Cryptography Plays Central Role in Future Electronic Commerce,” March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England. [pub. no.151]

“Users Must Not Attempt to Eradicate Viruses,” Computer Security Alert, No. 156, March 1996; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.150]

“EDPAudit Must Be Independent of Information Security,” Computer Security Alert, No. 155, February1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.147]

“Reliance on Information Downloaded From Internet,” Computer Security Alert, No. 153, December 1995; Publisher:Computer Security Institute, SanFrancisco, CA. [pub. no.145]

“When to Report Computer Crimes to Law Enforcement,” Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.141]

“New Intellectual Property and the Need for Information Security,” ComputerFraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England. [pub.no. 139]

“Require Approval for Official Statements Posted to the Internet,” Computer Security
Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.136]

“Internet Anarchy and the Effectiveness of Laws,” Computerworld, 12 June1995. Expanded version also appears as “Need for Worldwide Internet Laws,” inComputer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England. [pub. no.133]

“ISO9000 and Information Security,” Computers & Security, vol. 14, no. 4,pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford,England (co-author Karen Snow). [pub.no. 131]

“WhySATAN Should Not Have Been Distributed As It Was,” Computer Security Alert,No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA.[pub. no. 128]

“Destroy Archived Electronic Mail Periodically,” Computer Security Alert, No. 142, January 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.124]

“Wireless Network Security,” Proceedings of Wireless Datacom ’94 Conference held in Washington, DC, 6-8 December 1994;Publisher: Business Communications Review,Hinsdale, IL. [pub. no.122]

“Fifty Ways to Secure Dial-Up Communications,” Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England. [pub. no.118]

“Identity Token Usage at American Commercial Banks,” Computer Fraud & Security Bulletin, March 1995; Publisher:Elsevier Science Publishers, Oxford England, pp. 14-16. [pub. no.114]

“Security Problems in Collaborative Computing,” Network World, October 1994; Publisher: International Data Group, Framingham,MA. [pub. no. 113]“The Newest Threat to Information Security: Open Book Management,” EDPACS, August 1994; Publisher: WarrenGorham Lamont, Boston,MA. [pub. no. 110]

“Principles of Secure Information Systems Design with Groupware Examples,” Proceedings of the Groupware ’92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA. [pub. no. 75]“A Strategy for Developing Information Security Documents,”
Journal of Information Systems Security, vol. 1, issue 2,Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New
York, NY (co-author: Juhani Saari). [pub. no. 68]

“Using Information Security to Achieve Competitive Advantage,” Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California.[pub. no. 58]“Data Dictionaries and Information Security,” Proceedings of SECURICOM ’84 International Conference, Cannes, France,29 February – 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris,
France. [pub. no. 24

“International Barriers to Information Flows,” SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA. [pub. no. 10]

“Computer Crime: Criminal Justice Resource Manual,” with Parker, Donn B., Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710,
1979. [pub. no. 1]

New and Updated Sample Security Policy Documents

Information Security Policies Made Easy, Version 13 contains these updates:

Security Policy Library Update for the Common Policy Library (CPL) and ISO 27002:2013

The ISPME Version 13 security policy library has been updated to reflect the new Common Policy Library (CPL). The CPL is a set of common information security policies that enable organizations to comply with multiple data protection laws including ISO 27002, PCI-DSS and HIPAA/HiTECH. ISPME is the most complete library of security policies available covering over 200 different information security topics.

38 Updated “Ready-to-Go” Sample Security Policy Templates

Version 13 now contains 38 complete, pre-written sample information policy documents in MS-Word format, including:

  1. Sample High-Level Information Security Policy
  2. Sample IT Risk Management Security Policy
  3. Sample Information Security Program Policy
  4. Sample Information Security Organization Policy
  5. Sample Audit and Compliance Assessment Policy
  6. Sample Asset Management Policy
  7. Sample Acceptable Use of Assets Policy
  8. Sample Acceptable Use of Social Networking Policy
  9. Sample Cloud Computing Security Policy
  10. Sample Mobile Computing Security Policy
  11. Sample Remote Working (Telecommuting) Security Policy
  12. Sample Personally Owned Devices (BYOD) Security Policy
  13. Sample Information Classification Policy
  14. Sample Information Exchange Policy
  15. Sample Information Storage and Retention Policy
  16. Sample Information and Media Disposal Policy
  17. Sample Third Party Security Management Policy
  18. Sample Personnel Security Management Policy
  19. Sample Security Awareness and Training Policy
  20. Sample Access Control Security Policy
  21. Sample Account and Privilege Management Policy
  22. Sample Remote Access Security Policy
  23. Sample Network Security Management Policy
  24. Sample Firewall Security Policy
  25. Sample Wireless Network Security Policy
  26. Sample Physical Security Policy
  27. Sample System Configuration Management Policy
  28. Sample Change Management Policy
  29. Sample Malicious Software Management Policy
  30. Sample Encryption and Key Management Policy
  31. Sample Application Development Security Policy
  32. Sample Security Incident Response Policy
  33. Sample Data Breach Response Policy
  34. Sample Backup and Recovery Policy
  35. Sample IT Business Continuity Policy
  36. Sample Log Management and Monitoring Policy
  37. Customer Data Privacy Policy
  38. Sample Best Practices Information Security Policy Template

New Policy Compliance Tools

The updated Master Policy List allows easy gap-analysis for your existing policies. A newly-added Best Practices Policy Template enables your organization to easily reference existing policies to compliance frameworks such as HIPAA, COBIT or PCI-DSS.

  1. Information Security Policy Compliance Agreement
  2. Management Risk Acceptance Memo
  3. Two-Page Simple Non-Disclosure Agreement
  4. Sample Data Classification Quick Reference Table
  5. Sample Identity Token Responsibility Statement
  6. Sample Employment Termination Procedure
  7. Sample Security Incident Reporting Form
  8. Sample Information Security Policy Glossary

120+ New Information Security Policies

Version 13 contains 120 additional pre-written information security policy statements with expert commentary covering the latest security threats and technologies, including:

  • Audit Logging
  • BYOD (Bring Your Own Device)
  • Cloud Computing
  • Corporate governance
  • Data Breaches Response
  • Disposal of equipment
  • Email security including phishing
  • Instant messaging
  • Information Security Coordination
  • USB storage
  • Mobile device security
  • Personnel Security
  • Physical Security
  • Risk Management
  • Social Networking
  • Supply Chain Security
  • Security Department coordination
  • Remote Access and Teleworking
  • FAX and office machine security
  • Third-Party Software Development
  • Third-Party Service Management
  • Third-Party Information Disclosure
  • And much more…

Featured Sample Information Security Policies

Classification Of Information Security Policies And Procedures

(These sample policies and commentary are from over 1500 security policy templates from Information Security Policies Made Easy, Copyright ©2017.)

Policy: All Company X information security documentation including, but not limited to, policies, standards, and procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners.

Commentary:

This policy prevents workers from disclosing to outsiders the specifics of how Company X secures its information and systems. These details could be used to compromise Company X information and systems. For example, knowledge about an internal process may help an industrial spy commit credible social engineering fraud. Because some information security policies are made public (for example on a web page), some workers may get the impression that other information security policies may be publicly released without adverse consequence. Information security policies should be revealed to outsiders only when it is required for business reasons, legal requirements, or because it is the ethical thing to do. Not all of the information security policies need to be released in these instances, and a summary statement is not only advisable but is appreciated by the recipients. Each information security policy document should be marked with an appropriate classification in order to communicate whether or not the policies are public information.

Risk Assessment – Documented Methodology

Policy: Company X must specify and document a formal methodology for performing risk assessments. The specification must include, at a minimum, the risk methodology (quantitative or qualitative) used, specific criteria for ranking assets, sources of vulnerability and threat data, and acceptable risk thresholds.

Commentary: This policy ensures that Company X uses a consistent, documented methodology for performing system risk assessments. By their very nature, risk assessments can be very subjective. By providing documentation of the risk methodology used, the organization can provide some level of consistency between different organizational units or teams performing risk assessments. One example of such a methodology is the Facilitated Risk Assessment (FRA). This process, which utilizes a qualitative risk analysis, is geared to a specific application, system or network. It allows risks to be addressed in financial and non-financial terms, as well as taking into consideration secondary impacts. It is a formal methodology that is driven by the system’s owners, conducted by a facilitator, and can be completed in a relatively short period of time.

Annual Review of Applicable Security Policies

Policy: All Company X employees and contractors must review and acknowledge acceptance of the information security policies which apply to them at least on an annual basis.

Commentary:

One of the key controls in any information security program is the education and training of users on both generic information security principles and specific company policies. This policy requires each user within the organization to read each set of security policies which applies to them, and sign an agreement to acknowledge that they have read and agree to abide by these policies. This policy has been in practice for many years in some organizations, without being formally documented. While many organizations require a user to sign an agreement to abide by policies when they first join the company, many times this form ends up in a personnel file never to be seen again. This policy is not only required by many security-related laws, it is critical documentation for any potential lawsuit involving employee violations of policy. While this seems like a large administrative burden, automated security policy tools that automate much of this process are now available.

Information Ownership Assignment

Policy: The Chief Information Officer (CIO) must clearly specify in writing the assignment of Information Ownership responsibilities for those databases, master files, and other shared collections of information used to support production business activities.

Commentary: This policy establishes a clear and documented delegation of information access control-related authority. A definition of delegated authorities is useful when determining access control permissions. This policy clarifies who is responsible for security and related matters for shared information resources such as a database or network file share (the Owner is). Often information security activities are forgotten when several people are potentially responsible but no one has been specifically assigned responsibility. This policy will be particularly helpful within organizations that rely on database management systems and application programs to enforce access controls.

 

You may also like…