Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.
There is no cost for using these resources. They were compiled to help the people attending SANS training programs, but security of the Internet depends on vigilance by all participants, so we are making this resource available to the entire community.
Over the years a frequent request of SANS attendees has been for consensus policies, or at least security policy templates, that they can use to get their security programs updated to reflect 21st century requirements. While SANS has provided some policy resources for several years, we felt we could do more if we could get the community to work together. This page provides a vastly improved collection of policies and policy templates.
It also offers a primer for those new to policy development and specific guidance on policies related to legal requirements such as the HIPAA guidelines.
This page will continue to be a work in-progress and the policy templates will be living documents. We hope all of you who are SANS attendees will be willing and able to point out any problems in the models we post by emailing us at firstname.lastname@example.org. We also hope that you will share policies your organization has written if they reflect a different need from those provided here or if they do a better job of making the policies brief, easy to read, feasible to implement, and effective.
We'll make improvements and add new resources and sample policies as we discover them.
What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we'll use the following definitions.
A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.
A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.
A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.
Need a Sample Information Security Policy or Template?
SANS has received permission to provide sanitized security policies from a large organization. These policies were developed by a group of experienced security professionals with more than 80 years of combined experience in government and commercial organizations, and each policy went through a vigorous approval process. They should form a good starting point if you need one of these policies.
Some Tips About These Policies
Anything that is in <angle brackets> should be replaced with the appropriate name from your organization. The term "InfoSec" is used throughout these documents to refer the team of people responsible for network and information security. Replace "InfoSec" with the appropriate group name from your organization. Any policy name that is in italics is a reference to a policy that is also available on this site.
Acquisition Assessment Policy
Defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the information security group.
Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.
Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.
Are you new to developing security policies? Do you need a refresher course or something to help you convince management of the need for policies? If so, check out the 30-page policy primer from Michele Guel's full day course "Proven Practices for Managing the Security Function."
More than 1,000 security officers have learned how to manage the security process from Michele D. Guel. Her experience as a trusted senior security professional in the US government and in one of the nation's largest technology companies has provided a solid foundation for her courses. Over the years she has developed and implemented dozens of policies, but she is always open to new ways of approaching problems and new ways of improving security.
Do You Have a Question Regarding Information Security Policies or Something to Contribute?
If you have a question regard security polices or want to share a sample policy or a resource site you feel worth of mention, send email to email@example.com.