Writing Information Security Policies
Appendix C: SAMPLE POLICIES

Throughout the book, I provided sample policy statements to illustrate what you can put into the policies you are writing. Individually, they are useful examples, but I know that people like full examples. This appendix has three examples of different policies that have been adopted from documents I worked on for different organizations.

If you remember, the sample statements in this book were written in a style that is similar to what you would see in a statement of work for a U.S. federal government contract. Some organizations do not like this style. Two of the policies do not follow my convention. I chose these samples to demonstrate how policies can be written using any language style.

The first sample is an Acceptable Usage Policy for an organization with more than 250 users. At the time I worked for them, they had opened their fourth office in the United States and were in negotiations to open an office in Europe. They ran mainframes, UNIX servers, and PCs on the desktop. All the offices were tied together using private lines. This organization wanted something that resembled a summary of their information security policies so that users would have few questions as to the nature of their policies.

The second sample is an Email Policy. This organization was worried about the spread of email viruses and had just purchased a system that would scan email attachments for viruses. Because this organization hired a lot of young people, management felt that they needed a statement that users would notice on email etiquette. They felt the Ten Commandments of Email (see Chapter 7) was the way to communicate their intent. It was their decision to place it at the end of the Email Policy document.

Finally, the sample Administrative Policy outlining compliance and enforcement (see Chapter 12) was adapted from a growing organization that was going through the process of getting ready for their Initial Public Offering (IPO). What makes this sample interesting is the style. Just before we finished all the policies, one of the executives had added a brief explanation, in relatively plain language, of each policy statement and included them within the document. It was called the "Purpose Statement." After a lot of discussion, mostly positive, these statements were left in the documents. However, a disclaimer was added to the introduction of the policies. Although this is the only time I have used this, I would consider using it again under the right circumstances.

Writing Information Security Policy’s Home Page...
Scott’s Home Page...

All questions, comments, and corrections may be e-mailed to the author Last update: October 09, 2011