Comprehensive Information Security Policy Coverage
Information Security Policies Made Easy covers over 200 essential information security topics including:
- Access Control
- Acceptable Use
- Application Development
- Biometrics
- Computer emergency response teams
- Computer viruses
- Contingency planning
- Corporate Governance
- Data Classification and Labeling
- Data Destruction
- Digital signatures
- Economic Espionage
- Electronic commerce
- Electronic mail
- Employee surveillance
- Encryption
- Firewalls
- FAX communications
- Incident Response
- Identity Theft
- Information Ownership
- Information Security Related Terrorism
- Internet
- Local area networks
- Intranets
- Logging controls
- Microcomputers
- Mobile Devices
- Network Security
- Outsourcing security functions
- Password Management
- Personnel Screening and Security
- Portable computers (PDA, Laptops)
- Physical Security
- Privacy issues
- Security Roles and Responsibilities
- Social Engineering (including “phishing”)
- SPAM Prevention
- Telecommuting
- Telephone systems
- Third Party Access
- User security training
- Web Site Security
- Wireless Security
- Voice Over IP (VOIP)
- And many more!
Information Security Policies Made Easy, Version 13 is available for electronic download. Each product contains a print-ready PDF, MS-Word templates and an organization-wide license to republish the materials.
Information Security Policy – Product Contents
Information Security Policies Made Easy has all of the templates and tools you need to develop information security policies quickly and effectively.
How to Develop Information Security Policies
Expert help by Charles Cresson Wood on how to develop information security policies that really work in your organization. Topics include:
Defining Information Security Policies
Importance of Security Policies
Considerations In The Policy Development Process
Policy Development Time Line
Policy Document Length
Policy Usage
Policy Objectives And Scope
Information Security Policy Statement Library
The complete library contains over 1500 information security policy statements with expert commentary on the following information security topics within the Common Policy Library (CPL).
- IT Risk Management
1.1. Risk Management Program
- Security Policies & Procedures
2.1. Security Policy and Procedure Development
2.2. Security Policy Management
- Security Program Management
3.1. Security Program Governance
3.2. Information Security Organization
3.3. Security Compliance Evaluation
- Asset Management
4.1. Asset Procurement
4.2. Asset Inventory
4.3. Asset Accountability
4.3.1. Asset Classification
4.3.2. Asset Ownership Assignment
4.4. Asset Protection
4.4.1. Asset Assignment
4.4.2. Configuration Control
4.4.3. Asset Management
4.5. Acceptable Use of Assets
4.6. Asset Removal and Transfer
4.7. Asset Disposal
4.8. Mobile Computing
- Information Management
5.1. Information Collection
5.2. Information Classification
5.3. Information Exchange and Transit
5.4. Information Storage and Retention
5.5. Information Disposal
- Third Party Management
6.1. Third Party Risk Management
6.2. Third Party Contracts
6.3. Third Party Service Delivery
- Personnel Security
7.1. Personnel Security Management
7.2. Security Awareness and Training *
- Access Control
8.1. Access Control Systems
8.2. User Access Management
8.3. User Account Management
8.4. Remote Access and Mobile Computing
- Network Security
9.1. Intrusion Protection
9.2. Network Controls
9.3. Wireless Networks
- Physical & Environmental Security
10.1 Physical Security Planning
10.1. Site Security
10.2. Processing Facilities Security
10.3. Office and Facility Security
- Operations Management
11.1. Security Operations Management
11.2. System Planning
11.3. Systems Management
11.4. Change Management
11.5. Malicious Software
11.6. Encryption and Key Management
- Application Security Management
12.1. Application Development Security
12.2. Transaction Controls
12.3. Web Site Security
- Incident Detection & Management
13.1. Security Incident Planning
13.2. Security Incident Response
13.3. Data Breach Management
- IT Business Continuity and Contingency Planning
14.1. Information Backup
14.2. IT Business Continuity Governance
14.3. Business Continuity Planning
- Security Monitoring and Audit
15.1. Information Security Logs
15.2. System Monitoring and Audit
- Data Privacy and Personal Information
16.1. Employee Privacy
16.2. Customer Privacy
16.3. Identity Theft Prevention
16.4. Privacy Governance
Sample Information Security Policy Documents
All the security topics you need! ISPME contains each of the following complete security policy documents in MS-Word format and organized in our best-practices security policy template. Easily to customize and use.
00 -Sample High-Level Information Security Policy
1.0 Sample IT Risk Management Security Policy
2.0 Sample Information Security Program Policy
3.0 Sample Information Security Organization Policy
4.0 Sample Audit and Compliance Assessment Policy
5.0 Sample Asset Management Policy
6.0 Sample Acceptable Use of Assets Policy
7.0 Sample Acceptable Use of Social Networking Policy
8.0 Sample Cloud Computing Security Policy
9.0 Sample Mobile Computing Security Policy
10.0 Sample Remote Working (Telecommuting) Security Policy
11.0 Sample Personally Owned Devices (BYOD) Security Policy
12.0 Sample Information Classification Policy
- Sample Information Exchange Policy
- Sample Information Storage and Retention Policy
- Sample Information and Media Disposal Policy
- Sample Third Party Security Management Policy
- Sample Personnel Security Management Policy
- Sample Security Awareness and Training Policy
- Sample Access Control Security Policy
- Sample Account and Privilege Management Policy
- Sample Remote Access Security Policy
- Sample Network Security Management Policy
- Sample Firewall Security Policy
- Sample Wireless Network Security Policy
- Sample Physical Security Policy
- Sample System Configuration Management Policy
- Sample Change Management Policy
- Sample Malicious Software Management Policy
- Sample Encryption and Key Management Policy
- Sample Application Development Security Policy
- Sample Security Incident Response Policy
- Sample Data Breach Response Policy
- Sample Backup and Recovery Policy
- Sample IT Business Continuity Policy
- Sample Log Management and Monitoring Policy
- Customer Data Privacy Policy
- Sample Best Practices Information Security Policy Template
Sample Security Policy Compliance Documents
In addition to sample policy documents, the following forms and agreements help you implement your information security program.
Information Security Policy Compliance Agreement
Management Risk Acceptance Memo
Two-Page Simple Non-Disclosure Agreement
Sample Data Classification Quick Reference Table
Sample Identity Token Responsibility Statement
Sample Employment Termination Procedure
Sample Security Incident Reporting Form
Sample Information Security Policy Glossary
Information Security Policy Development Resources
Policy Development Plan Checklist (Appendix D)
Suggested Next Steps after Policy Development (Appendix E)
List Of Suggested Awareness-Raising Methods (Appendix F)
Regulatory Requirements for Information Security Policies (Appendix G)
Using This Guide for Regulatory Requirements
Using this guide for PCI-DSS.
Using this guide for HIPAA/HiTECH Security Requirements
Using this guide for Sarbanes-Oxley Requirements
Using this guide for NIST (FISMA) Security Requirements
Index Of New Information Security Policies
About the Author
About Charles Cresson Wood

Recipient of Computer Security Institute’s Lifetime Achievement Award
Charles Cresson Wood, CISSP, CISM, CISA is an author, researcher, and management consultant based in Mendocino, California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.
He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.
He has published over 375 technical articles and six books in the information security field. In addition to various TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe.
For over 10 years, Mr. Wood was a Senior North American Editor for the Elsevier academic research journal called “Computers &Security” and the practitioner’s newsletter entitled “Computer Fraud & Security Bulletin.” For over 17 years, for the Computer Security Institute, he wrote a monthly column about information security policies for the newsletter entitled “Computer Security Alert.” He as also been an information security strategy columnist for the global technology media company called TechTarget.
He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has also passed the Certified Public Accountant (CPA) examination. He is a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.” Mr Wood is currently attending St. Francis School of Law, on a part-time basis, and when he graduates and passes the California bar exam, he intends to specialize in intellectual property protection and privacy matters.
Here is a sampling of the over 375 security related articles by Charles Cresson Wood:
“Researchers Must Disclose All Sponsors And Potential Conflicts,” Computer Security Alert, No. 197, March 2000; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.220]
“Integrated Approach Includes Information Security,”Security, pp. 43-44,February 2000; Publisher: Cahners, Des Plains, IL. [pub. no.219]
“Get Data Safety Policies In Place,” American Banker, 11 February 2000, p. 7;Publisher: American Banker, New York, NY.[pub. no. 218]
“All Internet Personal Data Gathering Techniques Must Be Disclosed,” Computer Security Alert, No. 196,
February 2000; Publisher: Computer SecurityInstitute, San Francisco, CA. [pub.no. 217]
“The Information Security Profession: Evolutionary Career Paths,” Information Security, November 1999;Publisher: published by ICSA.net, Norwood, MA. [pub. no. 214]
“Disclosures Of Private Information Without Data Subject Consent,” Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.212]
“Termination Of Outsourcing Contracts For Security Violations,” Computer Security Alert, No. 191, September 1999; Publisher:Computer Security Institute, San Francisco, CA. [pub. no. 210]
“Top Ten Impediments To Implementing An Information Security Policy,” Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story). [pub. no.209]
“A Functional Comparison Of Tandem Data Replication Software Packages,”
an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino,CA. [pub. no. 207]
“Subjects Given Opportunity To Block Private Information Disclosures,”Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 205]
“Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information,” Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute,
San Francisco, CA. [pub. no.202]
“All Systems Access Privileges Cease When Workers Terminate,” Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.202]
“Non-Compliance And Disciplinary Action,” Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 198]
“Convenience Versus Multi-Factor User Authentication,” Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.196]
“Twelve New Vulnerabilities Introduced by Internet Commerce,” Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no.195]
“All Telephone Transactions Require Positive Caller Identification,” Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute,San Francisco, CA. [pub. no.193]
“TheTruth About Masquerading and Spoofing,” Network Magazine, February 1998; Publisher: Miller Freeman,San Francisco, CA. [pub. no.183]
“Unauthorized Information Disclosure and Loss of Stock Options,” Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.185]
“Managing Perceptions About Internet Electronic Commerce Security,” Computer Security, Audit & Control, February 1997; Publisher: Management Advisory Services Publications, Wellesley Hills,MA. [pub. no. 165]
“Information Security: Are We Winning the Game?” Computer Fraud &Security Bulletin, January 1997;
Publisher: Elsevier Science Technology,Oxford, England. [pub. no.162]
“Encryption for Files Left on Anonymous FTP Servers,” Computer SecurityAlert, No. 163, October 1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.159]
“Encryption Systems Must Include Key Escrow,” Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 152]
“Cryptography Plays Central Role in Future Electronic Commerce,” March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England. [pub. no.151]
“Users Must Not Attempt to Eradicate Viruses,” Computer Security Alert, No. 156, March 1996; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.150]
“EDPAudit Must Be Independent of Information Security,” Computer Security Alert, No. 155, February1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.147]
“Reliance on Information Downloaded From Internet,” Computer Security Alert, No. 153, December 1995; Publisher:Computer Security Institute, SanFrancisco, CA. [pub. no.145]
“When to Report Computer Crimes to Law Enforcement,” Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.141]
“New Intellectual Property and the Need for Information Security,” ComputerFraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England. [pub.no. 139]
“Require Approval for Official Statements Posted to the Internet,” Computer Security
Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.136]
“Internet Anarchy and the Effectiveness of Laws,” Computerworld, 12 June1995. Expanded version also appears as “Need for Worldwide Internet Laws,” inComputer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England. [pub. no.133]
“ISO9000 and Information Security,” Computers & Security, vol. 14, no. 4,pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford,England (co-author Karen Snow). [pub.no. 131]
“WhySATAN Should Not Have Been Distributed As It Was,” Computer Security Alert,No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA.[pub. no. 128]
“Destroy Archived Electronic Mail Periodically,” Computer Security Alert, No. 142, January 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.124]
“Wireless Network Security,” Proceedings of Wireless Datacom ’94 Conference held in Washington, DC, 6-8 December 1994;Publisher: Business Communications Review,Hinsdale, IL. [pub. no.122]
“Fifty Ways to Secure Dial-Up Communications,” Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England. [pub. no.118]
“Identity Token Usage at American Commercial Banks,” Computer Fraud & Security Bulletin, March 1995; Publisher:Elsevier Science Publishers, Oxford England, pp. 14-16. [pub. no.114]
“Security Problems in Collaborative Computing,” Network World, October 1994; Publisher: International Data Group, Framingham,MA. [pub. no. 113]“The Newest Threat to Information Security: Open Book Management,” EDPACS, August 1994; Publisher: WarrenGorham Lamont, Boston,MA. [pub. no. 110]
“Principles of Secure Information Systems Design with Groupware Examples,” Proceedings of the Groupware ’92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA. [pub. no. 75]“A Strategy for Developing Information Security Documents,”
Journal of Information Systems Security, vol. 1, issue 2,Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New
York, NY (co-author: Juhani Saari). [pub. no. 68]
“Using Information Security to Achieve Competitive Advantage,” Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California.[pub. no. 58]“Data Dictionaries and Information Security,” Proceedings of SECURICOM ’84 International Conference, Cannes, France,29 February – 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris,
France. [pub. no. 24
“International Barriers to Information Flows,” SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA. [pub. no. 10]
“Computer Crime: Criminal Justice Resource Manual,” with Parker, Donn B., Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710,
1979. [pub. no. 1]
Featured Sample Information Security Policies
Classification Of Information Security Policies And Procedures
(These sample policies and commentary are from over 1500 security policy templates from Information Security Policies Made Easy, Copyright ©2017.)
Policy: All Company X information security documentation including, but not limited to, policies, standards, and procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners.
Commentary:
This policy prevents workers from disclosing to outsiders the specifics of how Company X secures its information and systems. These details could be used to compromise Company X information and systems. For example, knowledge about an internal process may help an industrial spy commit credible social engineering fraud. Because some information security policies are made public (for example on a web page), some workers may get the impression that other information security policies may be publicly released without adverse consequence. Information security policies should be revealed to outsiders only when it is required for business reasons, legal requirements, or because it is the ethical thing to do. Not all of the information security policies need to be released in these instances, and a summary statement is not only advisable but is appreciated by the recipients. Each information security policy document should be marked with an appropriate classification in order to communicate whether or not the policies are public information.
Risk Assessment – Documented Methodology
Policy: Company X must specify and document a formal methodology for performing risk assessments. The specification must include, at a minimum, the risk methodology (quantitative or qualitative) used, specific criteria for ranking assets, sources of vulnerability and threat data, and acceptable risk thresholds.
Commentary: This policy ensures that Company X uses a consistent, documented methodology for performing system risk assessments. By their very nature, risk assessments can be very subjective. By providing documentation of the risk methodology used, the organization can provide some level of consistency between different organizational units or teams performing risk assessments. One example of such a methodology is the Facilitated Risk Assessment (FRA). This process, which utilizes a qualitative risk analysis, is geared to a specific application, system or network. It allows risks to be addressed in financial and non-financial terms, as well as taking into consideration secondary impacts. It is a formal methodology that is driven by the system’s owners, conducted by a facilitator, and can be completed in a relatively short period of time.
Annual Review of Applicable Security Policies
Policy: All Company X employees and contractors must review and acknowledge acceptance of the information security policies which apply to them at least on an annual basis.
Commentary:
One of the key controls in any information security program is the education and training of users on both generic information security principles and specific company policies. This policy requires each user within the organization to read each set of security policies which applies to them, and sign an agreement to acknowledge that they have read and agree to abide by these policies. This policy has been in practice for many years in some organizations, without being formally documented. While many organizations require a user to sign an agreement to abide by policies when they first join the company, many times this form ends up in a personnel file never to be seen again. This policy is not only required by many security-related laws, it is critical documentation for any potential lawsuit involving employee violations of policy. While this seems like a large administrative burden, automated security policy tools that automate much of this process are now available.
Information Ownership Assignment
Policy: The Chief Information Officer (CIO) must clearly specify in writing the assignment of Information Ownership responsibilities for those databases, master files, and other shared collections of information used to support production business activities.
Commentary: This policy establishes a clear and documented delegation of information access control-related authority. A definition of delegated authorities is useful when determining access control permissions. This policy clarifies who is responsible for security and related matters for shared information resources such as a database or network file share (the Owner is). Often information security activities are forgotten when several people are potentially responsible but no one has been specifically assigned responsibility. This policy will be particularly helpful within organizations that rely on database management systems and application programs to enforce access controls.