Policy Library
Policy Source™ policies, developed and enhanced over a twenty-year span, have been vetted against numerous industries and are aligned with global cyber security frameworks and evolving industry best practices.
Whether you’re looking for standardized policies with your company logo that can be downloaded today, or customized policies designed to meet your organization’s specific requirements, our comprehensive policy library is where you should start.
Come straight to the source!
The purpose of this policy is to provide the requirements for acceptable use of company technology, devices, and information resources.
Sections include: PERSONAL USAGE, BUSINESS PURPOSE USAGE, MONITORING, and ENFORCEMENT
The purpose of this policy is to provide the requirements for acceptable use of company technology, devices, and information resources.
Sections include: PERSONAL USAGE, BUSINESS PURPOSE USAGE, MONITORING, ENFORCEMENT, and ACKNOWLEDGEMENT
The purpose of this policy is to define organizational requirements for physical and logical access controls.
Sections include: ACCESS CONTROLS, PHYSICAL ACCESS CONTROLS, and USER ACCESS CONTROL
The purpose of this policy is to define application security requirements for newly developed applications.
Sections include: APPLICATION DEVELOPMENT and CUSTOM CODE REVIEWS
The purpose of this policy is to define organizational requirements for managing assets and inventory.
Sections include: ASSET MANAGEMENT, ASSET INVENTORY, and ASSET LIFECYCLE
The purpose of this policy is to define organizational requirements for security awareness and training.
Sections include: AWARENESS AND TRAINING
The purpose of this policy is to define Mobile Device Management (MDM) requirements for non-corporate provided devices (BYOD).
Sections include: MOBILE REQUIREMENTS, SECURITY, SUPPORT, LOST / STOLEN DEVICES, and RISKS / LIABILITIES / DISCLAIMERS
The purpose of this policy is to define organizational requirements for business continuity and information technology disaster recovery.
Sections include: GOVERNANCE, PLANNING, and TESTING
The purpose of this policy is to define change management requirements.
Sections Include: CHANGE REQUIREMENTS, DOCUMENTATION, REVIEW AND APPROVAL, and IMPLEMENTATION
The purpose of this policy is to define the requirements for maintaining a secure and clean desk.
Sections Include: WORKSPACE, END-USER COMPUTING DEVICES, STORAGE, and DATA DISPOSAL
The purpose of this policy is to define organizational requirements for maintaining system configurations.
Sections include: BASELINE CONFIGURATIONS, CHANGE MANAGEMENT, and CONFIGURATION SETTINGS
The purpose of this policy is to define organizational requirements for data backups.
Sections include: DATA BACKUP, OFF-SITE BACKUPS, and RETENTION
The purpose of this policy is to define organizational requirements for data classification.
Sections include: DATA CLASSIFICATION, PUBLIC DATA, INTERAL-USE DATA, CONFIDENTIAL DATA, and RESTRICTED DATA
The purpose of this policy is to define organizational requirements for data handling.
Sections include: DATA HANDLING
The purpose of this policy is to define organizational requirements for disposing of electronic media and physical technology assets.
Section include: TECHNOLOGY EQUIPMENT DISPOSAL, and SALE OR TRANSFER OF TECHNOLOGY ASSETS
The purpose of this policy is to define the requirements for the proper use of company email accounts.
Section include: EMAIL USAGE, BACKUP AND RETENTION, and COMPLIANCE
The purpose of this policy is to define organizational requirements for encryption.
Sections include: ENCRYPTION METHODS, ENCRYPTION REQUIREMENTS, KEY AGREEMENT AND AUTHENTICATION, ALGORITHM, KEY ACCESS MANAGEMENT, and KEY GENERATION AND STORAGE
The purpose of this policy is to define requirements for the use of <Company Name> managed end-user computing devices.
Sections include: END-USER DEVICES, CONNECTION, and DEVICE LIFECYCLE
The purpose of this policy is to define organizational human resource security requirements.
Sections include: SCREENING, EMPLOYMENT TERMS AND CONDITIONS, TRAINING AND AWARENESS, DISCIPLINARY PROCESS, and TERMINATION OR CHANGE OF ROLE
The purpose of this policy is to define organizational requirements for identifiers and authentication methods.
Sections include: IDENTIFIERS, AUTHENTICATION, and PKI-BASED AUTHENTICATION
The purpose of this policy is to define organizational requirements for information security incident management.
Sections include: INFORMATION SECURITY INCIDENT, and TRAINING
The purpose of this policy is to define organizational requirements for Information Security.
Sections include: SECURITY TRAINING AND AWARENESS, IT SYSTEMS, SOFTWARE, DEVICES, SECURITY RISK REVIEW, and SECURITY INCIDENT MANAGEMENT
The purpose of this policy is to define the requirements for the appropriate utilization of company provided internet access.
Sections include: ALLOWED USAGE, PROHIBITED USAGE, and MONITORING
The purpose of this policy is to define requirements for logging and monitoring to detect security events.
Sections include: LOG CONFIGURATION, LOG INTEGRITY, and LOG MONITORING
The purpose of this policy is to define organizational requirements for disposing of media.
Sections include: MANAGEMENT OF MEDIA, MEDIA DISPOSAL, and SALE OR TRANSFER OF MEDIA
The purpose of this policy is to define Mobile Device Management (MDM) requirements for company provided mobile devices.
Sections include: PROCUREMENT AND SETUP, MOBILE DEVICE USAGE, SECURITY, and DEVICE LIFECYCLE
The purpose of this policy is to define organizational requirements for securing and configuring company networks.
Sections include: NETWORK SECURITY CONTROLS, NETWORK SEGMENTATION, ELECTRONIC MESSAGING, NETWORK SECURITY CONFIGURATION, NETWORK CONFIGURATIONS, and CHANGE MANAGEMENT
The purpose of this policy is to define organizational requirements for passwords.
Sections include: PASSWORD and PASSWORD MANAGEMENT
The purpose of this policy is to define patching requirements for IT systems.
Sections include: PATCH REQUIREMENTS, PATCH REVIEW, and PATCH SCHEDULE
The purpose of this policy is to define physical security requirements for facilities, physical assets, and data centers.
Sections include: PHYSICAL SECURITY FOR FACILITIES and PHYSICAL SECURITY FOR DATA CENTERS
The purpose of this policy is to define quality assurance and user acceptance testing requirements.
Sections include: QUALITY ASSURANCE and USER ACCEPTANCE TESTING
The purpose of this policy is to define records retention requirements.
Sections include: RECORDS RETENTION AND DESTRUCTION, RECORDS ACCESS, and RECORDS STORAGE
The purpose of this policy is to define organizational requirements for remote access.
Sections include: REMOTE ACCESS AUTHORIZATION, REMOTE ACCESS, REMOTE SESSION, and REMOTE ACCESS ACCOUNT DEACTIVATION REQUIREMENTS
The purpose of this policy is to define risk management requirements..
Sections include: RISK MANAGEMENT, RISK IDENTIFICATION, RISK ASSESSMENT, RISK RESPONSE, and RISK MONITORING
The purpose of this policy is to define requirements for assessing security controls.
Sections include: SECURITY ASSESSMENT and SECURITY CONTROL MONITORING
The purpose of this policy is to define organizational requirements for software development lifecycle (SDLC) requirements.
Sections include: SECURE SOFTWARE DEVELOPMENT LIFECYCLE, CHANGES, and TESTING
The purpose of this policy is to define system and information integrity requirements.
Sections include: SYSTEM AND INFORMATION INTEGRITY, SCANNING, and PROTECTION
The purpose of this policy is to define organizational requirements for third party management.
Sections include: ONBOARDING, MAINTENANCE, and OFF-BOARDING
The purpose of this policy is to define video surveillance requirements.
Sections include: VIDEO SURVEILLANCE REQUIREMENTS and USE OF VIDEO SURVEILLANCE ON PROPERTIES
The purpose of this policy is to define vulnerability management requirements.
Sections include: VULNERABILITY ASSESSMENT, VULNERABILITY REVIEW, and VULNERABILITY REMEDIATION
