Security Compliance
Documentation Templates

Acceptable Encryption Policy

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

Acceptable Use Policy

The purpose of this policy is to outline the acceptable use of computer equipment at NSPECT.IO. These rules are in place to protect the employee and NSPECT.IO. Inappropriate use exposes NSPECT.IO to risks including virus attacks, compromise of network systems and services, and legal issues.

Acquisition Assessment Policy

The purpose of this policy is to establish Infosec responsibilities regarding corporate acquisitions, and define the minimum security requirements of an Infosec acquisition assessment.

Antivirus Guidelines

The purpose of this policy was created by or for the SANS Institute for the
Internet community. All or parts of this policy can be freely used for your organization.
There is no prior approval required.

Automatically Forwarded E mail Policy

The purpose of this policy is prevent the unauthorized or inadvertent disclosure of sensitive company information.

Bluetooth Baseline Requirements Policy

The purpose of this policy is to provide a minimum baseline standard for connecting Bluetooth
enabled devices to the <Company Name> network or <Company Name> owned devices. The
intent of the minimum standard is to ensure sufficient protection Personally Identifiable
Information (PII) and confidential <Company Name> data.

Chain Of Custody Form

The purpose of this form shall be used to decide who is in the chain of custody when an incident occurs.

Clean Desk Policy

The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our
customers and our vendors is secure in locked areas and out of site. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.

Communications Equipment Policy

The purpose of this policy is describes requirements for communication equipment security configurations of
<Company Name>

DMZ Equipment Policy

The purpose of this policy is establishes information security requirements for all networks and equipment
deployed in <Company Name> labs located on the ""De-Militarized Zone"" (DMZ). Adherence to these requirements will minimize the potential risk to <Company Name> from the damage to
public image caused by unauthorized use of <Company Name> resources, and the loss of
sensitive/company confidential data and intellectual property..

DMZ Lab Security Policy

The purpose of this policy is establishes information security requirements for all networks and equipment
deployed in <Company Name> labs located on the ""De-Militarized Zone"" (DMZ). Adherence to
these requirements will minimize the potential risk to <Company Name> from the damage to
public image caused by unauthorized use of <Company Name> resources, and the loss of
sensitive/company confidential data and intellectual property.

Data Breach and Response Policy

The purpose of the policy is to establish the goals and the vision for the breach
response process. This policy will clearly define to whom it applies and under what
circumstances, and it will include the definition of a breach, staff roles and
responsibilities, standards and metrics (e.g., to enable prioritization of the
incidents), as well as reporting, remediation, and feedback mechanisms. The policy
shall be well publicized and made easily available to all personnel whose duties
involve data privacy and security protection.

Database Credentials Policy

The purpose of this policy is states the requirements for securely storing and retrieving database usernames and
passwords (i.e., database credentials) for use by a program that will access a database running on
one of <Company Name>'s networks.

Dial-in Access Policy

The purpose of this policy is to protect <Company Name>'s electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.

Digital Signature Acceptance Policy

The purpose of this policy is to provide guidance on when digital signatures are considered
accepted means of validating the identity of a signer in <Company Name> electronic
documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization. Because communication has become primarily electronic, the goal is to reduce confusion about when a digital signature is trusted.

Disaster Recovery Plan Policy

The purpose of this policy is define the requirement for a baseline disaster recovery plan to be developed and
implemented by <Company Name> that will describe the process to recover IT Systems,
Applications and Data from any type of disaster that causes a major outage.

Email Policy

The purpose of this email policy is to ensure the proper use of <Company Name> email system
and make users aware of what <Company Name> deems as acceptable and unacceptable use of
its email system. This policy outlines the minimum requirements for use of email within
<Company Name> Network.

Email Retention Policy

The purpose of this policy is intended to help employees determine what information sent or
received by email should be retained and for how long.

Employee Endpoint Responsibility Policy

The purpose of this policy, this document describes Information Security's requirements for employees of <Company
Name> that work outside of an office setting.

Employee Internet Use and Filtering Policy

The purpose of this policy is to define standards for systems that monitor and limit web use from
any host within <Company Name>'s network. These standards are designed to ensure employees
use the Internet in a safe and responsible manner, and ensure that employee web use can be
monitored or researched during an incident.

Ethics Policy

The purpose of this policy is to establish a culture of openness, trust and to emphasize the employee’s and consumer’s expectation to be treated to fair business practices. This policy will serve to guide business behavior to ensure ethical conduct. Effective ethics is a team effort involving the participation and support of every <Company Name> employee. All employees should familiarize themselves with the ethics guidelines that follow this introduction.

Extranet Policy

The purpose of this policy is describes the policy under which third party organizations connect to <Company
Name> networks for the purpose of transacting business related to <Company Name>.

ISDN Line Policy

The purpose of this policy is explains <Company Name> analog and ISDN line acceptable use and approval
policies and procedures. This policy covers two distinct uses of analog/ISDN lines: lines that are to be connected for the sole purpose of fax sending and receiving, and lines that are to be connected to computers.

Incident Communication Form

The purpose of this form used communication Log means a record of communication events in a certain scope, excluding the content of those communications, in order to provide an audit trail; that can be used to understand the activity of a system.

Incident Contact List

The purpose of this form is a table displaying all data loss prevention, mobile device, or discovery incidents. By default, incidents are sorted by their incident time, but you can sort them (ascending or descending) by any of the columns in the table. For each incident, a quick preview of the data is provided. You can customize the types of details shown.

Incident Containment Form

The purpose of this form, Containment is a methodology whereby access to information, files, systems or networks is controlled via access point.

Incident Eradication Form

The purpose of this incident eradication form Eradication is a critical phase in the incident response process. Thorough recovery from security incidents requires the full removal of any malicious code or other threats that were introduced to the environment during the incident. This is the purpose of the eradication phase.

Incident Identification Form

The purpose of this form is information about actual and suspected information security incidents is confidential and
must be shared only with staff with designated responsibilities for managing such incidents.

Incident Survey Form

The purpose of the form is The Incident with Survey process is a version of the standard Incident process with the option of sending a simple end-user survey after the Incident is resolved.

Information Logging Standard

The purpose of this document attempts to address this issue by identifying specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with an enterprise’s log management function.

Intellectual Property
Incident Containment Form

The purpose of this form, Containment is a methodology whereby access to information, files, systems or networks is controlled via access point.

Intellectual Property Incident Contacts Form

The purpose of this from is consists of inventions, literary and artistic works, symbols, images, names, designs used in commerce and original expressions of creative individuals. The key forms of intellectual property protection are patents, copyrights, trademarks and trade secrets.

Intellectual Property Incident Eradication Form

The purpose of this form, Containment is a methodology whereby access to information, files, systems or networks is controlled via access point.

Intellectual Property Incident Form Checklist

The purpose of this policy is helps to prevent the most common pitfalls start-ups encounter. The IP strategy checklist is by no means all-inclusive. Many factors may influence its relevance to a particular company, depending on the jurisdiction, state and nature of the technology or innovation developed, targeted markets, competitive landscape, etc.

Intellectual Property Incident Handling Communication log

The purpose of this form used communication Log means a record of communication events in a certain scope, excluding the content of those communications, in order to provide an audit trail; that can be used to understand the activity of a system.

Intellectual Property Incident Identification Form

The purpose of this form is information about actual and suspected information security incidents is confidential and
must be shared only with staff with designated responsibilities for managing such incidents.

Internet Usage Policy

The purpose of this policy is to define the appropriate uses of the Internet by <Company Name> employees and affiliates.

Lab Security Policy

The purpose of this policy, this policy establishes the information security requirements to help manage and safeguard lab
resources and <Company Name> networks by minimizing the exposure of critical infrastructure
and information assets to threats that may result from unprotected hosts and unauthorized access.

Mobile Device Encryption Policy

The purpose of this policy is device such as smart phone and tablets offer great flexibility and improved productivity for employees. However, they can also create added risk and potential targets for data loss. As such, there use must be in alignment with appropriate standards and encryption technology
should be used when possible.

Pandemic Response Planning Policy

The purpose of this policy is directs planning, preparation and exercises for pandemic disease outbreak
over and above the normal business continuity and disaster recovery planning process. The
objective is to address the reality that pandemic events can create personnel and technology
issues outside the scope of the traditional Disaster Recovery/Business Continuity Planning
process as potentially some if not the entire workforce may be unable to come to work for
health or personal reasons.

Password Construction Guidelines

The purpose of this guidelines is to provide best practices for the created of strong passwords.

Password Protection Policy

The purpose of this policy is to establish a standard for creation of strong passwords and the
protection of those passwords.

Personal Communication Devices and Voicemail Policy

"The purpoe of this ploicy, this document describes Information Security's requirements for Personal Communication
Devices and Voicemail for <Company Name>"

Remote Access Mobile Computing Storage Policy

The purpose of this policy is to establish an authorized method for controlling mobile computing
and storage devices that contain or access information resources at the <Company Name>.

Remote Access Policy

The purpose of this policy is to establish an authorized method for controlling mobile computing
and storage devices that contain or access information resources at the <Company Name>.

Remote Access Tools Policy

The purpose of this policy is to define rules and requirements for connecting to <Company
Name>'s network from any host. These rules and requirements are designed to minimize the
potential exposure to <Company Name> from damages which may result from unauthorized use
of <Company Name> resources. Damages include the loss of sensitive or company confidential
data, intellectual property, damage to public image, damage to critical <Company Name>
internal systems, and fines or other financial liabilities incurred as a result of those losses.

Removable Media Policy

The purpose of this policy is to minimize the risk of loss or exposure of sensitive information
maintained by <Company Name> and to reduce the risk of acquiring malware infections on
computers operated by <Company Name>.

Security Response Plan Policy

The purpose of this policy is to establish the requirement that all business units supported by the
Infosec team develop and maintain a security response plan. This ensures that security incident
management team has all the necessary information to formulate a successful response should a
specific security incident occur.

Server Audit Policy

The purpose of this policy is to ensure all servers deployed at <Company Name> are configured
according to the <Company Name> security policies. Servers deployed at <Company Name>
shall be audited at least annually and as prescribed by applicable regulatory compliance.

Server Malware Protection Policy

The purpose of this policy is to outline which server systems are required to have anti-virus
and/or anti-spyware applications.

Server Security Policy

The purpose of this policy is to establish standards for the base configuration of internal server
equipment that is owned and/or operated by <Company Name>. Effective implementation of this
policy will minimize unauthorized access to <Company Name> proprietary information and
technology.

Social Engineering Awareness Policy

"The purpose of this policy is employees recognize they are an important part of <Company Name>’s
security. The integrity of an employee is the best line of defense for protecting sensitive
information regarding <Company Name>’s resources."

Software Installation Policy

The purpose of this policy is to outline the requirements around installation software on
<Company Owned> computing devices. To minimize the risk of loss of program
functionality, the exposure of sensitive information contained within <Company
Name’s> computing network, the risk of introducing malware, and the legal exposure
of running unlicensed software.

Technology Equipment Disposal Policy

The purpose of this policy it to define the guidelines for the disposal of technology equipment
and components owned by <Company Name>.

User Encryption Key Protection Policy

The purpose of this policy is outlines the requirements for protecting encryption keys that are under the control of
end users. These requirements are designed to prevent unauthorized disclosure and subsequent
fraudulent use. The protection methods outlined will include operational and technical controls,
such as key backup procedures, encryption under a separate key and use of tamper-resistant
hardware.

Virtual Private Network Policy

The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual
Private Network (VPN) connections to the <Company Name> corporate network.

Web Application Security Policy

The purpose of this policy is to define web application security assessments within
Company Name. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication,
insufficient error handling, sensitive information leakage, etc.

Wireless Communication Policy

The purpose of this policy is to secure and protect the information assets owned by <Company
Name>. <Company Name> provides computer devices, networks, and other electronic
information systems to meet missions, goals, and initiatives. <Company Name> grants access to
these resources as a privilege and must manage them responsibly to maintain the confidentiality,
integrity, and availability of all information assets.

Wireless Communication Standard

This standard specifies the technical requirements that wireless infrastructure devices must satisfy to connect to a <Company Name> network. Only those wireless infrastructure devices that meet the requirements specified in this standard or are granted an exception by the InfoSec Team are approved for connectivity to a <Company Name> network.

Workstation Security For HIPAA Policy

The purpose of this policy is to provide guidance for workstation security for <Company Name> workstations in order to ensure the security of information on the workstation and information the workstation may have access to. Additionally, the policy provides guidance to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310(c) are met.