InfoSec Policy Templates

Throughout the course of this week, I have been reading through a few different approaches in regards to drafting information security policies. Some of these include the Security Systems Development Life Cycle (SecSDLC), the Issue-Specific Security Policy (ISSP) approach, and the Information Securities Policy Made Easy (ISPME) approach, just to name a few.

While all of the above approaches are great options to developing policy, organizations can also consider using security policies that have already been drafted and made readily available online by reputable security organizations. There are many such policy templates available for organizations to take and adapt for their own unique environment. This can save time and effort versus starting from scratch (reinventing the wheel), as well as help to make sure that major lessons-learned throughout the history of the industry are included in your own policy.

My favorite resource for security policy templates is the SANS Security Policy Resource webpage, found at https://www.sans.org/security-resources/policies. They have templates for 27 different types of policies, including Acceptable Use, Password Protection, and Server Security policies. They were created by the SANS community as a whole, and are designed to make security policy implementation at any organization fast, easy, and up-to-date with current trends and lessons-learned.

I think these and other templates make a great starting point for any organization looking to begin their own policy. Just be careful not to get into a “fill in the blank” mindset; this could cause you to forget to address risks that are specific your organization, and thus leave some security gaps in your policy.