Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Renews Library of Information Security Policy Templates

  • Bethesda, MD
  • September 3, 2014

The SANS Institute today released twenty-seven completely refreshed information security policy templates that corporations and government agencies can use to ensure their security policies are practical, up-to-date and reflect real-world experience.

The release of new policy templates updates one of SANS' most popular services for the security community. SANS' policy template library has been used by at least 10,000 unique visitors each month for over a decade. The update announced today is a complete refresh of the policy library - removing policies that are no longer needed, adding policies to deal with new technologies and new threats, and updating the remaining policies to reflect changes in practice.

The update reflects the consensus of a team of industry professionals chaired by Michele D. Guel, a Senior Security Architect and Distinguished IT Engineer at Cisco Systems. Michele is a 26-year veteran of the cybersecurity industry and has been an advocate and supporter of the SANS community since its inception.

Although the policy templates were developed primarily to serve the 125,000 SANS alumni, SANS makes these resources available to all security managers and practitioners, at no charge. The templates may be downloaded from the SANS Security Policy Project site at

What's included?

  • For general policies, policy titles include Acceptable Use, Acceptable Encryption, Password Construction, Password Protection, Email Use, Disaster Recovery Plans, and Security Response Plans.
  • For network security policies, users will find templates for policies regarding Remote Access, Router and Switch Security, Wireless Communications and Standards, and the Assessment of Potential Acquisitions.
  • For server security, users will find templates for policies covering Database Credentials, Technology Equipment Disposal, Lab Security, and Software Installation.
  • The templates database also includes a Web Application Security Policy template.

The policy templates in the database are often generalized versions of policies developed for and used by leading corporations and/or government entities, and have been reviewed by professionals who themselves have been responsible for training thousands of others in the development of enterprise security policies and practices.

Alan Paller, Director of Research at the SANS Institute, says, "The Policy Project site allows organizations to create better policies, faster, by starting from a proven set of templates. It also helps ensure their own policies have sufficient scope and depth relative to those included in the library. The policy templates are intended to be appropriately brief, easy to read, and feasible to implement, and our expectation is that each would need to be further tailored for any particular organization."

"This is a milestone within an ongoing project, not a conclusion," commented Michele Guel, Project Team Leader. "Over the coming months, the project team will add additional topics and templates (including addressing additional templates for 'mobile' and 'cloud' policies) while revising the existing library based on the feedback we'll receive after this current refresh."

Call to Action: Experienced members of the community are urged to review these policy templates and, where they feel the templates may be meaningfully improved, please send edits and suggestions to us at In addition, we welcome additional experienced volunteers or the submission of additional policy templates in areas that remain as yet unaddressed.

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (