Sample Security Policies and Templates |
APPENDIX |
Included in this appendix are some foundational policy templates that are needed to help mitigate risk. The following policy templates are included in this appendix:
Sample Company IT Policy |
Effective Date: |
SAMPLE COMPANY ACCESS CONTROL POLICY |
Enterprise or Departmental: Enterprise Policy |
Approved: | |
Executive Sponsor: | |
Policy Revision # & Date: | |
Subject: | |
Access Control Policy |
The intent of this policy is to define the organization’s requirement for providing employees, users, authorized third parties, and system administrators with access to systems, applications, and data.
Given the organization’s Data Classification Policy, role-based access controls will be defined for each job function. Each job description will have job tasks and functions defined that may require access to systems, applications, and data. Depending on the sensitivity of the job function, access to sensitive data may be required.
The physical scope of this policy shall include the following domains within the seven domains of a typical IT infrastructure (see figure on next page):
The operational and management scope of this Access Control Policy shall include:
Access controls—The process and procedures for how authorized users are to gain access to the network, systems, applications, and data.
Active Directory—Windows system that provides identification and authentication for access to the LAN.
Authentication—The process of ensuring that the individual is who he or she claims to be by asking for a password or series of questions to verify the individual’s identity.
Authorization—HR onboarded new hire is authorized to obtain role-based access controls based on the job duties and tasks required.
Identification—The assignment of a user ID or login ID for the user.
Multifactor authentication—After the initial login ID and password are used, another method of user authentication is enabled such as two-factor authentication using a hard token or soft token passcode.
Role-based access controls—Within an organization, different job functions require different access to different IT systems, applications, and data. Role-based access controls define access to IT systems, applications, and data based on the role or job function required.
Security information event management (SIEM)—A sophisticated log aggregation system that can analyze audit trails and logs, and correlate events and security incidents on an IP data network. The SIEM is the central data repository for audit trails and logs of IT assets where threat analysis is performed.
Separation of duties—A security control where roles and responsibilities are shared and distributed to privileged system administrators so that all the power is not with one individual.
Two-factor authentication (2FA)—Provides identification of users by means of the combination of two different components. These components may be something the user knows, something the user possesses, or something inseparable from the user. Two-factor authentication is a type of multifactor authentication.
User ID/login ID—A unique identifier that is given to an authorized user. User IDs and login IDs can be a user’s email address or other username assigned within Windows Active Directory (AD) or where all user IDs and login IDs are created.
All employees, authorized users, and authorized third parties shall be granted access to the organization’s network, systems, applications, and data as needed to perform their job responsibilities.
The following defines the security controls for access controls:
Noncompliance with this policy definition will be monitored, tracked, and handled by the Human Resources department, the employee’s department head, and the Information Technology department.
All employees, authorized users, and authorized third parties that are in violation of this policy will be required to work with the Human Resources department and Information Technology department to remediate.
This remediation effort may include review of policies and procedures, retaking the security awareness training course, and/or other disciplinary actions.
REVISION DATE | AUTHOR | DESCRIPTION |
---|---|---|
Sample Company IT Policy |
Effective Date: |
SAMPLE COMPANY ACCESS CONTROL POLICY |
Enterprise or Departmental: Enterprise Policy |
Approved: | |
Executive Sponsor: | |
Policy Revision # & Date: | |
Subject: | |
Acceptable Use Policy—IT Assets, Network, Internet, and Email |
This policy shall define acceptable use of the organization’s IT assets, Internet, email, systems, applications, and data. This policy shall also define unacceptable use.
The scope of this enterprise-wide policy encompasses the entire organization and all employees, authorized users, and authorized third parties who are granted access controls to the IT infrastructure.
All employees, contractors, and authorized third parties that are provided with a login ID and password must comply with this acceptable use policy. This policy mandates that all employees, contractors, and authorized third parties take special precautions as they pertain to the access, use, handling, storage, and transmission of sensitive data as part of normal day-to-day operations and business functions.
Cipher-text—Data that cannot be seen or comprehended given that it is encrypted or scrambled and is unreadable.
Clear-text—Data that can be seen and comprehended given that it is displayed “as is.”
Encryption—Utilizes a cryptographic algorithm to encode messages or information in a way that only authorized recipients can decode the message or information.
Information security—The tenets of information security include confidentiality, integrity, and availability. Information security, as a whole, is the responsibility of all employees and authorized users of the organization’s network, systems, applications, and data.
Sensitive data—Data that is under a regulatory compliance law or is sensitive as defined by the organization.
All authorized users (employees, contractors, or authorized third parties) that require access to the organization’s IT assets, systems, applications, and data must read, acknowledge, and sign this Acceptable Use Policy prior to being granted login credentials.
More importantly, this policy shall define what is acceptable use and what is unacceptable use of the organization’s owned IT systems, applications, and data.
(1) Providing copies of software to anyone else
(2) Installing software on organization-owned computer equipment without notifying and getting advance approval of the Information Technology department
(3) Downloading software from the Internet without advance approval from the Information Technology department
(4) Modifying or altering installed software without advance approval from the Information Technology department
Noncompliance with this policy will be monitored, tracked, and handled by the organization’s Human Resource department and Information Technology department.
Any employees or authorized users that are in violation of this policy will be required to work with the Human Resources department for remediation.
This remediation effort may include review of the organization’s policies, retake of the security awareness training course, or other disciplinary actions.
I have read, reviewed, and acknowledge that I understand this Acceptable Use Policy as it pertains to my job responsibilities and tasks.
Employee/User:
Name
Signature
Title
Date
Human Resources:
Name
Signature
Title
Date
Supervisor/Manager:
Name
Signature
Title
Date
Sample Company IT Policy |
Effective Date: |
SAMPLE COMPANY ACCESS CONTROL POLICY |
Enterprise or Departmental: Enterprise Policy |
Approved: | |
Executive Sponsor: | |
Policy Revision # & Date: | |
Subject: | |
Data Classification Policy |
The intent of this policy is to provide the organization with a consistent definition for different classes of information. Once defined, all employees and users will access, use, handle, process, store, and transmit data consistently according to its classification. This is important given the sensitive data used by the organization.
The scope of this enterprise-wide policy includes all employees, authorized users, and authorized third parties who are granted access to the organization’s systems, applications, and data.
Application owner—The owner or technical application lead responsible for the purchase and implementation of a software application used by the organization.
Data classification—The act of classifying data/information assets used by the organization.
Data governance—The definition for how the organization will use, handle, store, and/or transmit sensitive data.
Data owner—The technical lead responsible for the back-end database or other data repository that stores sensitive data. Typically, the data owner would be responsible and accountable for designing, testing, and ensuring that data encryption at rest can be enabled without performance degradation.
Department head—The department leader or supervisor who is ultimately responsible and accountable for the actions of the employees and authorized users in that department.
Encryption at rest—Actual data that resides in the back-end SQL database tables. Encryption at rest refers to the data being encrypted at rest within the actual SQL database table and data backup files. This means that the data is unreadable without the decryption key.
Nonpublic information (NPI)—Shall mean all electronic information that is not publicly available and is:
(1) Business-related information of an organization, the unauthorized disclosure, access, or use of which would cause a material adverse impact to the business, operations, or security of the organization
(2) Any information concerning an individual that, because of name, number, personal mark, or other identifier, can be used to identify such individual, in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver’s license number or nondriver identification card number; (iii) account number, or credit or debit card number; (iv) any security code, access code, or password that would permit access to an individual’s financial account; or (v) biometric records
(3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any individual or a member of the individual’s family; (ii) the provision of health care to any individual; or (iii) payment for the provision of health care to any individual
Personally identifiable information (PII) data—Information that, if obtained, can be used to identify, contact, or locate a single person, or to identify an individual in context as a result of combining individual private data elements (e.g., first and last name, home address, Social Security number, date of birth, etc.).
All employees, authorized users, and authorized third parties who are granted access controls to systems, applications, and data owned by the organization shall abide by this policy and the classifications of data.
It is the responsibility and accountability of each department head, application owner, and/or data owner to classify the data that is to be used, handled, stored, and transmitted on the organization’s network infrastructure.
The following schema will be used to classify data throughout the organization.
CLASSIFICATION LEVEL | DESCRIPTION |
---|---|
Level 1 – Low Public Domain Low Sensitivity |
This category classifies data as Level 1 – Low. Data in this classification can be accessed and shared with the general public. No labeling or security controls are required when handling this category of data.Data classified in this category shall include but is not limited to:
|
Level 2 – Medium Internal Business Use Only Medium Sensitivity |
This category identifies data that shall be labeled as Level 2 - Medium. Data in this classification shall be treated as confidential, Internal Business Use Only to be shared only with authorized users between the organization’s departments and employees.Data classified in this category shall include but is not limited to:
|
Level 3 – High High Sensitivity | This category identifies data that shall be labeled as Level 3 – High. This classification is for the most sensitive data used, handled, stored, and/or transmitted throughout the organization’s network infrastructure and work environment.
Data classified in this category shall include but is not limited to:
|
The table below summarizes types of data utilized and stored throughout the network infrastructure by the organization and lists the minimum sensitivity level of these data categories or types.
This can be used as a guideline for classifying other forms of data that new applications may use, handle, store, or transmit.
DATA CATEGORY | DESCRIPTION | MINIMUM CLASSIFICATION LEVEL |
---|---|---|
Investigative or Intelligence | Data under attorney–client privileged communications. Data/information related to investigations, law enforcement, subpoenas, court cases (not part of public record yet), and special operational activities. This includes information that could reasonably be expected to result in loss of life if inaccurate, disclosed, lost, or altered without permission. | 3 |
Legal, Law Enforcement, and Emergency Response | Data/information related to legal, law enforcement activities, or emergency response that would adversely impact the organization or individual(s) involved if released. | 3 |
Financial Data of Customers or the Organization | Customer or organization financial data that:(a) Is created or received by an organizational department or employee(b) Shall be fully encrypted in transmission; isolated from the rest of the organization’s network infrastructure; and, if in paper form, shall be stored in a physically secure room within the organization’s physical environment | 3 |
Personally Identifiable Information (PII) DataSubject to Privacy Laws | Any item, collection, or grouping of data/information (e.g., PII) about a U.S. citizen or permanent resident employed by the organization (e.g., first and last name, home address, Social Security number, date of birth, etc.). | 3 |
Emergency Operations and Procedures (BIA, BCP, DRP, and CSIRT Plan) | Information related to the organization’s IT security posture, including automated data processing security, internal operations, workflows, security controls, and risks, threats, and vulnerabilities.Organization’s internal security, emergency operations and procedures, IT documentation, business impact analysis (BIA), business continuity plan (BCP), disaster recovery plan (DRP), and computer security incident response team (CSIRT) plan shall be classified as Level 3 – High. | 3 |
Financials, Business Workflows | Information related to the organization’s business partners’, vendors’, and contractors’ financials, taxes, revenue, accounting or commercial activities, business workflows, procurement, and any other nonexempt data. | 2 |
Personnel | Data/information whose external or internal release would have a negative impact on an individual. | 2 |
Internal Data for Business Use Only | Memos, spreadsheets, and documents containing general organizational business operations and information that would not be made generally available to the public. | 2 |
External Data that Is ConsideredPublic Domain | Emails, memos, spreadsheets, SMS text messages, and documents containing general information that is not covered under Level 3 – High or Level 2 – Medium data classification definitions. This classification of data can be found in the public domain or can be shared in the public domain with no adverse effect or risk exposure to the organization. | 1 |
Noncompliance with this policy will be monitored, tracked, and handled by the organization’s Information Technology department and Human Resources department.
The Information Technology department and each department head shall be held responsible and accountable for enforcing this policy throughout.
Resources, tools, and defined procedures are the responsibility of the Information Technology department and each application owner and/or data owner assigned.
Executive or Board Level Review & Approval: | _______________________ (Name) _______________________ (Title) _______________________ (Signature) _______________________ (Date) |
REVISION DATE | AUTHOR | DESCRIPTION |
---|---|---|
Sample Company IT Policy |
Effective Date: |
SAMPLE COMPANY ACCESS CONTROL POLICY |
Enterprise or Departmental: Enterprise Policy |
Approved: | |
Executive Sponsor: | |
Policy Revision # & Date: | |
Subject: | |
Network Security Policy |
The intent of this policy is to provide the organization’s Information Technology department with a clear and concise definition of why, where, and how to implement network security controls. By security control we mean any of the following:
The scope of this enterprise-wide policy includes the following domains within the seven domains of a typical IT infrastructure (see figure on next page):
Access control list (ACL)—A software configuration that acts like a filter in a Layer 3 switch or router. The ACL can be set to permit or deny IP packet header or port number information. Forwarding or filtering decisions are made at the interface level.
Demilitarized zone (DMZ)—An IP subnetwork that interconnects a private, closed IP data network with the public Internet within the LAN-to-WAN Domain. The DMZ is positioned at the IP data network’s perimeter, which contains and exposes an organization's external-facing services to a larger and untrusted network, such as the public Internet.
Firewall—A software or hardware-based network security device that controls incoming and outgoing IP network traffic. A stateful firewall means the IP packet header will be examined to determine whether packets should be forwarded or filtered based on applied IP and UDP/TCP rule sets. An IP stateful firewall provides an additional layer of security prior to an IP packet being forwarded to a secure IP data networking subnetwork or VLAN. The firewall also acts as the last line of defense for system and application servers that may have an internal firewall enabled on the server itself.
Virtual LAN (VLAN)—A Layer 2 IEEE 802.3 CSMA/CD Ethernet-based broadcast domain. Configuration of a Layer 2 virtual LAN (VLAN) is defined in the IEEE 802.1Q VLAN standard definition. Users in the same department are typically on the same Ethernet broadcast domain.
This Network Security Policy requires the Information Technology department to build baseline definitions to ensure the confidentiality, integrity, and availability of system and network resources.
The following presents the policy requirements:
Noncompliance with this policy will be monitored, tracked, and handled by the organization’s Information Technology department.
The Information Technology department shall be held responsible and accountable for enforcing this policy throughout.
Resources, tools, and defined procedures are the responsibility of the Information Technology department and the owner of this policy.
Executive or Board Level Review & Approval: | _______________________ (Name) _______________________ (Title) _______________________ (Signature) _______________________ (Date) |
REVISION DATE | AUTHOR | DESCRIPTION |
---|---|---|
18.220.187.223