Information Security Policy Templates

Introduction to the SANS Security Policy Project

Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.

There is no cost for using these resources. They were compiled to help the people attending SANS training programs, but security of the Internet depends on vigilance by all participants, so we are making this resource available to the entire community.

Over the years a frequent request of SANS attendees has been for consensus policies, or at least security policy templates, that they can use to get their security programs updated to reflect 21st century requirements. While SANS has provided some policy resources for several years, we felt we could do more if we could get the community to work together. This page provides a vastly improved collection of policies and policy templates.

It also offers a primer for those new to policy development and specific guidance on policies related to legal requirements such as the HIPAA guidelines.

This page will continue to be a work in-progress and the policy templates will be living documents. We hope all of you who are SANS attendees will be willing and able to point out any problems in the models we post by emailing us at We also hope that you will share policies your organization has written if they reflect a different need from those provided here or if they do a better job of making the policies brief, easy to read, feasible to implement, and effective.

We'll make improvements and add new resources and sample policies as we discover them.

Is it a Policy, a Standard or a Guideline?

What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we'll use the following definitions.

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 8.1 workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows 8.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses Tenable SecurityCenter for continuous monitoring, and supporting policies and procedures define how it is used.

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

Need a Sample Information Security Policy or Template?

SANS has received permission to provide sanitized security policies from a large organization. These policies were developed by a group of experienced security professionals with more than 80 years of combined experience in government and commercial organizations, and each policy went through a vigorous approval process. They should form a good starting point if you need one of these policies.

Some Tips About These Policies

Anything that is in <angle brackets> should be replaced with the appropriate name from your organization. The term "InfoSec" is used throughout these documents to refer the team of people responsible for network and information security. Replace "InfoSec" with the appropriate group name from your organization. Any policy name that is in italics is a reference to a policy that is also available on this site.

Acquisition Assessment Policy

Defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the information security group.

Bluetooth Device Security Policy

This policy provides for more secure Bluetooth Device operations. It protects the company from loss of Personally Identifiable Information (PII) and proprietary company data.

Dial-in Access Policy

Defines appropriate dial-in access and its use by authorized personnel.

Ethics Policy

Defines the means to establish a culture of openness, trust and integrity in business practices.

Information Sensitivity Policy

Defines the requirements for classifying and securing the organization's information in a manner appropriate to its sensitivity level.

Internal Lab Security Policy

Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.

Personal Communication Devices and Voicemail Policy

Describes Information Security's requirements for Personal Communication Devices and Voicemail.

Risk Assessment Policy

Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.

Technology Equipment Disposal - Policy SANS Technology Institute White Paper Projects

- Jim Beechey, SANS Technology Institute White Paper Project
View Technology Equipment Disposal Policy (DOC) (32KB)
October 2008

Technology Equipment Disposal - Poster

- Jim Beechey, SANS Technology Institute White Paper Project
View Technology Equipment Disposal Poster (PDF) (118KB)
October 2008

Web Application Security Assessment Policy

Author: John Hally
Month: February, 2011

Need a Primer on Security Policies?

Are you new to developing security policies? Do you need a refresher course or something to help you convince management of the need for policies? If so, check out the 30-page policy primer from Michele Guel's full day course "Proven Practices for Managing the Security Function."

Policy Primer (PDF)

Additional Resources:

About the Project Director

More than 1,000 security officers have learned how to manage the security process from Michele D. Guel. Her experience as a trusted senior security professional in the US government and in one of the nation's largest technology companies has provided a solid foundation for her courses. Over the years she has developed and implemented dozens of policies, but she is always open to new ways of approaching problems and new ways of improving security.

Do You Have a Question Regarding Information Security Policies or Something to Contribute?

If you have a question regard security polices or want to share a sample policy or a resource site you feel worth of mention, send email to