University Information Security Policies - Electronic resource usage and security policies from the University of Pennsylvania. ISO/IEC 27001 Policies - Typical headings for a security policy aligned broadly with the ISO/IEC 27002 standard for information security management systems. Telecommuting/Teleworking Policy - Sample policy on teleworking covering employment as well as information security issues. Network Security Policy Guide - Watchguard's guide to creating an overarching network information security policy, supported by subsidiary policies. Personnel Security Policy - Example policy covering pre-employment screening, security policy training etc. Internet Acceptable Use Policy - One page Acceptable Use Policy example. Disaster Recovery Policy - Basic DR policy in just over one side. University Information Security Policies - A set of information security policies from the University of Louisville. Backup Policy - Sample policy requires a cycle of daily and weekly backups (although monthly backups are also advisable!). Campus Security Policy - An overarching security policy from Berkeley University includes links to more specific and detailed policies. Campus Security Policy - A high level information security policy from Washington University. FIPS 140-2 Security Policy - Security policy for the OpenSSL FIPS software object module, required for validation against FIPS (Federal Information Processing Standard) 140-2. Information Security Policies - Policies from CSPO Tools Inc., some of which are available without charge as PDF files or for an annual subscription as MS Word files, along with additional content. Acceptable Use Policy Template - A basic acceptable use policy, from the State of California Office of Information Security. [MS Word] Antivirus Policy - From the State of Vermont Agency of Administration. Mandates the use of antivirus software on applicable systems. Incident Response Policy - From the State of Vermont Agency of Administration. Policy defining the essential elements of the process for responding to security incidents. Intrusion Detection and Prevention Policy - From the State of Vermont Agency of Administration. Policy on specifying, installing and using IDS/IPS. Physical Security for Computer Protection Policy - From the State of Vermont Agency of Administration. Covers physical access controls and the secure provision of power etc. to a computer room. Third Party Connectivity Policy - From the State of Vermont Agency of Administration. Connections require business cases, audits etc. Acceptable Use of Computing and Electronic Resources Policy - From the University of North Carolina, Greensboro. Specifies responsibilities and prohibited activities in relation to IT use. Data Classification Policy - From the University of North Carolina, Greensboro. Deliberately simple: defines just two classification levels. Includes responsibilities. Electronic Records Retention Policy - From the University of North Carolina, Greensboro. Covers the retention of various data files, including those subject to litigation. Identity Theft Prevention Program Policy - From the University of North Carolina, Greensboro. Lays out controls for detecting and reacting to 'red flag' situations linked to identity theft. Personal Information Security Breach Notification Policy - From the University of North Carolina, Greensboro. Policy about mandatory notification of breaches involving the disclosure of personal information. Social Security Numbers Policy - From the University of North Carolina, Greensboro. Specifies security controls to protect SSNs. Wireless Communications Policy - From the University of North Carolina, Greensboro. Prohibits wireless devices that may interfere with authorized wireless systems. Copyright Compliance Policy - From the University of North Carolina, Greensboro. Covers compliance with copyright law when using information belonging to others. Copyright Ownership and Use Policy - From the University of North Carolina, Greensboro. Policy on protecting the organization's own intellectual property through copyright. HIPAA Compliance Policy - From the University of North Carolina, Greensboro. Policy on compliance with the Health Insurance Portability and Accountability Act. eCommerce Privacy Policy - Policy concerning privacy of visitors to websites, covering logs, cookies and information volunteered. Information Security Policies - SANS consensus research project offering around 30 editable information security policies. Acceptable Use Policy - Template policy clarifying the acceptable use of IT devices and networks. [MS Word] Privacy Policy - One of many many examples on the WWW, this one from the School of Graduate Studies at Norwich University. Information Security Policy - High-level information security policy statement for the Childhood Cancer Research Group at Oxford University. Standard Practice Guide - Policy covering appropriate use of information resources and IT at the University of Michigan. Information Security Policies - An extensive set of ISO27k-based policies for universities from University Colleges and Information Systems Association. IP Network Security Policy - Example security policy to demonstrate policy writing techniques introduced in three earlier articles. Awareness and Training Policy - From Georgia Perimeter College. Mandates an ongoing and creative general security awareness program supplemented with more specific training where needed. Information Security Policy - From the New School university in New York. Includes a set of 21 high level principles, cross-referenced to ISO/IEC 27002:2005. Information Security Policy - From the University of North Carolina, Greensboro. Very succinct - just 5 policy goals. Teleworking Policy - From the University of North Carolina, Greensboro. Covers health and safety and employment issues as well as IT security aspects of home working. Digital Media and Hardware Disposal Policy - From the State of Vermont Agency of Administration. Policy on disposing of IT systems and media securely, without carelessly discarding confidential data. Blogging Policy - From the State of Vermont Agency of Administration. Policy re blogging and microblogging (e.g. on Twitter). Laptop Security Policy - From the National Health Service. [MS Word] Incident Management Policy - From Herriot-Watt University. Clarifies the respective roles of students, faculty and administrators in reporting and dealing with information security incidents. Whistleblower policy - By Euronext N.V. Requires employees to report serious noncompliance incidents, offering whistleblowers protection against disadvantage. Media disposal policy - Succinct policy from Oregon State University requires that a competent person signs a release form before disposing of storage media from which the data have been securely erased (e.g. by 7x overwrite) Electronic Communications Policy - Formal policy from the University of California covering email and other electronic communications mechanisms Electronic Communications Policy - Policy from the University of Colorado on the use of email and other means of electronic communication for official purposes. Governance Policies Handbook - Corporate governance policies for Connexis, a power company Wireless Communication Policy - Concerns the use of wireless networking devices. Retention Policy - Covers retention of documents/information for business and compliance purposes. From Yale University Records Preservation Policy - Concerns the need to retain formal records associated with ongoing legal actions. From Yale University. Development or Revision and Posting of Policies, Procedures and Forms Policy - Formalities around the development or update and publication of policies, procedures and forms. From Yale University. Social Security Numbers Confidentiality Policy - Controls to maintain the secrecy of SSNs. From Yale University. Information Technology Appropriate Use Policy - Lays down the rules concerning acceptable ways of using the institution's IT facilities. From Yale University. Electronic Signatures and Records Policy - Concerns what systems can be used for electronic signatures, and under what conditions. From Yale University. Server Security Policy - Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity. Providing and Using Information Technology Policy - Concerns ownership and rights over corporate IT equipment, in the University of Colorado. This policy includes an explanatory FAQ section. ISO27k Toolkit - Collection of information security policies, procedures etc. aligned with the ISO/IEC 27000-series standards and provided under the Creative Commons license. Accidental Disclosure of Confidential Information Policy - An example policy from a dentistry company concerning the inadvertent disclosure of personal information. Email Policy - Policy from Northern Illinois University's IT Services group. Outlines some unacceptable uses. Email Forwarding Policy - Email must not be forwarded automatically to an external destination without prior approval from the appropriate manager. Information Security Policy - From Euronet Services India. In addition to a page of information security policy statements, it lists roles and responsibilities, plus supporting policies. Privacy Policy - Google's privacy policy is clearly written.