Governance policy templates

A policy should be corporate-wide, and is typically rather brief. Details that are allowed to vary from department to department should be implemented in standards and processes rather than the corporate policy document.

Governance Policy Template

<PolicyName> Policy

This is a formal corporate document. It should follow all corporate standards for logos, typesetting, colors, headers and footers, confidentiality notices and disclaimers.

In the policy document, each paragraph should be numbered, to facilitate compliance discussion, including identifying the specific policy section for which a waiver is being requested.

1 Purpose

1.1 The purpose of this policy is to outline <insert organization name, i.e. MyCompany> policy for <insert clear, direct description of WHAT the policy is intended to do (e.g., outline acceptable use of MyCompany equipment, or outline MyCompany requirements for controlling access to MyCompany resources. Keep sentences clear, simple, and direct.>

1.2 This policy supports <insert the list of regulatory or certification requirements. The details of the requirement need not be included. Just the name and a link for more information, if possible. If no such governing body applies, omit this paragraph.>

2 Scope

2.1 This policy applies to < Insert clear, direct description of who/what/where is covered by this policy (e.g., all MyCompany systems, all MyCompany employees).>

3 Policy

3.1 <Insert clear, direct statements outlining the requirements of the policy using will/shall liberally throughout.>

3.1.1 <Use ordinal numbered bullets for outline levels when applicable>

3.1.1 <Use ordinal numbered bullets for outline levels when applicable>

3.2 <Insert clear, direct statements outlining the requirements of the policy using will/shall liberally throughout>.

3.2.1 <Use ordinal numbered bullets for outline levels when applicable>

3.2.2 <Use ordinal numbered bullets for outline levels when applicable>

4 Implementation TimeLine and Effective Date

3.2 <insert “who or what”, i.e. “All MyCompany Applications,” “All MyCompany systems,” or “All MyCompany personnel”> shall be compliant with this policy by <Insert Date>.

4 Policy Questions and Risk Acceptance

4.1 Questions, concerns or complaints regarding <information security> policies, procedures or compliance shall be submitted by email to the policy owner listed at the end of this document. Submissions will be documented and tracked to disposition without reprisal.

4.2 Any system or group not able to comply with corporate policy must have an approved Risk Acceptance Form on file in the <insert name of enterprise governance organization> by the policy effective date.

4.2.1 The Policy Waiver and Risk Acceptance Form, <insert location>, includes a mandatory mitigation plan and instructions for submitting the form.

4.2.2 For any non-compliance identified after the effective date, notify the <insert name of enterprise governance organization> at <insert contact information> for guidance to document the gap.

5 Compliance Management

5.1 Compliance will be monitored by <insert role responsible for monitoring compliance> Describe how frequent they are required to monitor it, where the results are stored and how and to whom they will be communicated. Monitoring of compliance is an important requirement of a mature, continually improving governance process. For example, “A weekly automated desktop scanning audit will be run by the LAN Desktop Services department on all workstations to detect the presence of unlicensed software. The results of that scan will be archived on the LAN Desktop Services departmental website, and any unlicensed software reported to the desktop owner, their supervisor and manager.”

6 Non Compliance

6.1 Failure to comply with this policy will result in <insert consequences of non-compliance>. This is not what will happen to the company (i.e. a regulatory fine), but rather what will happen to the employee who elected not to comply with the corporate policy. For example, “Any employee found to have violated this corporate policy or failed to report any non-compliance shall be subject to disciplinary action, up to and including termination of employment.”

7 Communication Plan

7.1 How is this vision to be communicated? The <insert position title, not name> or their designee shall be responsible for determining what job roles, if any, must take specific training.

7.2 Will there be training available? Is that training mandatory? For what roles? Whose responsibility is it to ensure that all of the correct people are educated? How often should the training be repeated in order to stay current? “The <insert position title, not name> or designee will develop requirements for any specific security training deemed necessary, to be administered and tracked through <corporate education portal>.”

8 Revision Cycle

8.1 How often should this policy be reviewed and updated? How are changes made and approved?