Data Classification Policy Template

The Hawaii Health Information Corporation has a good data classification policy template here. A very helpful part of this template is the classification labels section. Here’s an excerpt: CLASSIFICATION LABELS Public: This classification applies to information that is available to the general public and intended for distribution outside the organizations. This information may be freely […]

Read the full article →

Data Classification Matrix

Total Enterprise Security Solutions has a great data classification matrix here. This matrix would make a good appendix to your Data Classification Policy. It categorizes data into non-sensitive (non-controlled and controlled) and sensitive (critical information and restricted information). It also has examples and criteria for each category plus ten handling standards: Release to Third Parties […]

Read the full article →

Sample Data Classification Policy

The Hawaii Health Information Corporation has a sample data classification policy here. Here’s an excerpt: A. [COMPANY]’s data classification system has been designed to support the “need to know” principle so that information may be protected from unauthorized disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and […]

Read the full article →

Incident Response Policy Template

An excellent template for an Incident Response Policy can be found in RFC 2350 here. While this is a template for a computer security incident response team (CSIRT), it has a lot of the same structure you would need for an Incident Response Policy. It even has a filled out example of the template. Here’s […]

Read the full article →

Network Security Policy

The University of Toronto has a great example of a Network Security Policy here. Here’s an excerpt: Computing & Networking Services will: monitor in real-time, backbone network traffic, as necessary and appropriate, for the detection of unauthorized activity, intrusion attempts and compromised equipment. carry out and review the results of automated network-based vulnerability, compromise assessment […]

Read the full article →

Personnel Security Policy

I wrote a generic Personnel Security Policy which is attached below. Sections of this policy include: Requirement to Protect Corporate Assets Information Security Responsibilities in Employee Handbook & Contracts Information Security Training Background Checks Bonding Conflict of Interest Non-Disclosure Agreements Security Incidents Here’s an excerpt: Include information security responsibilities in company rules and worker’s contracts. […]

Read the full article →

Acceptable Use Policy Example

The Ruskwig site has a great example of an Acceptable Use Policy here. Here’s an excerpt: DO NOT 9. Do not download text or images which contain material of a pornographic, racist or extreme political nature, or which incites violence, hatred or any illegal activity. 10. Do not download content from Internet sites unless it […]

Read the full article →

Email Retention Policy

Here’s a great article by Mich Kabay that describes tips for defining email retention policies. Here’s an excerpt: Define, enforce and update formal retention policies that stipulate how long to keep archives of which types of data. Ensure that your legal counsel is deeply involved in setting these policies. Access to archived records should be […]

Read the full article →

Document Retention Policy

eMag has a great overview of how to develop your document retention policy here. Here’s an excerpt: EVERY company should have a formal document retention policy, and this policy must be actively enforced. When a company or business is on notice of pending litigation, it is required to implement a “Litigation Hold” to retain any […]

Read the full article →

Acceptable Use Policy Sample

The SANS Security Policy Project site has a good acceptable use policy sample here. 2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, […]

Read the full article →

← Previous Entries

Next Entries →