Choose from Eight InfoSec Courses at SANS Las Vegas 2018. Save $200 thru 12/27.

Press


SANS Renews Library of Information Security Policy Templates

  • Bethesda, MD
  • September 3, 2014

The SANS Institute today released twenty-seven completely refreshed information security policy templates that corporations and government agencies can use to ensure their security policies are practical, up-to-date and reflect real-world experience.

The release of new policy templates updates one of SANS' most popular services for the security community. SANS' policy template library has been used by at least 10,000 unique visitors each month for over a decade. The update announced today is a complete refresh of the policy library - removing policies that are no longer needed, adding policies to deal with new technologies and new threats, and updating the remaining policies to reflect changes in practice.

The update reflects the consensus of a team of industry professionals chaired by Michele D. Guel, a Senior Security Architect and Distinguished IT Engineer at Cisco Systems. Michele is a 26-year veteran of the cybersecurity industry and has been an advocate and supporter of the SANS community since its inception.

Although the policy templates were developed primarily to serve the 125,000 SANS alumni, SANS makes these resources available to all security managers and practitioners, at no charge. The templates may be downloaded from the SANS Security Policy Project site at http://www.sans.org/info/166795.

What's included?

  • For general policies, policy titles include Acceptable Use, Acceptable Encryption, Password Construction, Password Protection, Email Use, Disaster Recovery Plans, and Security Response Plans.
  • For network security policies, users will find templates for policies regarding Remote Access, Router and Switch Security, Wireless Communications and Standards, and the Assessment of Potential Acquisitions.
  • For server security, users will find templates for policies covering Database Credentials, Technology Equipment Disposal, Lab Security, and Software Installation.
  • The templates database also includes a Web Application Security Policy template.

The policy templates in the database are often generalized versions of policies developed for and used by leading corporations and/or government entities, and have been reviewed by professionals who themselves have been responsible for training thousands of others in the development of enterprise security policies and practices.

Alan Paller, Director of Research at the SANS Institute, says, "The Policy Project site allows organizations to create better policies, faster, by starting from a proven set of templates. It also helps ensure their own policies have sufficient scope and depth relative to those included in the library. The policy templates are intended to be appropriately brief, easy to read, and feasible to implement, and our expectation is that each would need to be further tailored for any particular organization."

"This is a milestone within an ongoing project, not a conclusion," commented Michele Guel, Project Team Leader. "Over the coming months, the project team will add additional topics and templates (including addressing additional templates for 'mobile' and 'cloud' policies) while revising the existing library based on the feedback we'll receive after this current refresh."

Call to Action: Experienced members of the community are urged to review these policy templates and, where they feel the templates may be meaningfully improved, please send edits and suggestions to us at policies@sans.org. In addition, we welcome additional experienced volunteers or the submission of additional policy templates in areas that remain as yet unaddressed.

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)