| Acceptable Use Policy (AUP) |
This large and far-reaching policy communicates to users how the network may be used. This policy covers such areas as personal use of email and the Internet, blogging, excessive use, peer-to-peer file sharing, personal storage media, user software installation, instant messaging, monitoring, copyright infringement, prohibited activities, and much more. |
| Password Policy |
Covers minimum acceptable standards for network authentication, including password standards, use, and frequency of change. The policy also includes user guidelines for creating secure and easy-to-remember passwords. |
| Backup Policy |
Presents the company's backup strategy, including identification of critical systems and data, frequency of incremental and full backups, responsibilities of backup administrator, storage of backups, offsite rotation, restoration procedures, and more. |
| Network Access and Authentication Policy |
Covers the corporate standards for accessing the network, including such topics as account setup and use, authentication methods, minimum configurations, off-hours access, and more. |
| Incident Response Policy |
Specifies exactly how the organization will respond in the event of suspected security incident. This policy defines security incidents, both physical (such as the loss of a laptop) and electronic. Includes preparation plans, response activities for different scenarios, and forensics/recovery based on your stated goals. |
| Remote Access Policy |
States the company's position on access the corporate network remotely. Covers such topics as: permitted use of the network from remote sources, use of VPN/encryption software, and accessing the network from non-company-owned computers. |
| VPN Policy |
Covers how the company connects to remote sites or business partners with site-to-site VPNs. Includes such topics as authentication, encryption, management, logging and monitoring. |
| Guest Access Policy |
States the company's policy for allowing guests, such as contractors or visitors, to connect to the corporate network. The policy covers AUP acceptance, account use, security of guest machines, guest infrastructure requirements, and more. |
| Wireless Access Policy |
States the company's position on use of wireless networking, including installation and configuration guidelines, access to confidential data, and inactivity. |
| Third Party Connection Policy |
This policy covers company standards for connecting to third parties such as vendors, partners, customers, consultants. It includes topics such as the use and security of third party connections, access restrictions, and audits. |
| Network Security Policy |
This in-depth policy is by nature the most technical, and covers such topics as: use of antivirus software, server patch management, default installations of systems, vulnerability management, logging, network segmentation, router/firewall/switch security, and more. |
| Encryption Policy |
Specifies the company's encryption standards and how encryption is to be implemented. Includes applicability of encryption technology, key management, minimum strength of encryption, and legal use. |
| Confidential Data Policy |
Identifies what the company considers confidential data and specifies how it should be handled. Covers such topics as access, encryption, transmission over the network, third-party access, and more. |
| Data Classification Policy |
Sets guidelines for how the company deals with different types of data. Data is classified into five categories, with standards set for each on the storage, transmission, and destruction of the information. |
| Mobile Device Policy |
Communicates the company's position on the use and security of mobile devices such as laptops, PDAs, smart phones and mobile storage media such as flash drives. |
| Retention Policy |
Covers the company's policy on storage, retention, and destruction of the different types of data (as classified by the Data Classification Policy). |
| Outsourcing Policy |
Outlines the company's policy on using outside vendors, consultants, or managed service providers to handle certain functions of IT. Covers the decision to outsource, provider evaluation, and security controls associated with outsourcing. |
| Physical Security Policy |
Sets standards for the physical side of securing IT assets, including security zones, access controls, physical data/system security, minimizing risk, entry security, and more. Please note that this policy only touches on physical security as it relates to information technology. |
| Email Policy |
Sets the company's standards for appropriate, safe, and effective email use. Covers the company's email system in its entirety, including desktop and/or web-based email applications, server-side applications, email relays, associated hardware, and all electronic mail sent from the system. |
| User Acceptance Page |
This is a simple document that users sign to acknowledge their receipt of, and agreement to, the user-oriented policies. |
| Standard Forms |
These commonly-used forms will help create a paper trail to ensure compliance with the applicable policies. Forms provided are:
- Security Incident Report
- Notice of Policy Noncompliance
- Account Setup Request
- Guest Network Access Request
- Request for Policy Exemption
- Visitor Log
|
