Sample Security Policy Outline 1. Introduction 1.1.1General Information 1.1.2 Objectives 1.2 Responsible Organizational Structure 1.2.1.1.1 Corporate Information Services 1.2.1.1.2 Business Unit Information Services 1.2.1.1.3 International Organizations 1.2.1.1.4 Tenants 1.2.2 Security Standards 1.2.2.1.1 Confidentiality 1.2.2.1.2 Integrity 1.2.2.1.3 Authorization 1.2.2.1.4 Access 1.2.2.1.5 Appropriate Use 1.2.2.1.6 Employee Privacy 2. Domain Services 2.1.1 Authentication 2.1.2 Password Standards 2.1.3 Resident Personnel Departure 2.1.3.1.1 Friendly Terms 2.1.3.1.2 Unfriendly Terms 3. Email Systems 3.1.1 Authentication 3.1.2 Intrusion Protection 3.1.3 Physical Access 3.1.4 Backups 3.1.5 Retention Policy 3.1.6 Auditing 4. WEB Servers 4.1.1 Internal 4.1.2 External 5. Data Center 5.1.1 Authentication 5.1.2 Intrusion Protection 5.1.3 Physical Access 5.1.4 Backups 5.1.5 Retention Policy 5.1.6 Auditing 5.1.7 Disaster Recovery 6. LAN/WAN 6.1.1 Authentication 6.1.2 Intrusion Protection 6.1.3 Physical Access 6.1.3.1.1 Modems 6.1.3.1.2 Dial-in Access 6.1.3.1.3 Dial-out 6.1.4 Backups 6.1.5 Retention Policy 6.1.6 Content Filtering 6.1.7 Auditing 6.1.8 Disaster Recovery 6.1.8.1.1 Network Operations Center 6.1.8.1.2 Physical Network Layer 7. Desktop Systems 7.1.1 Authentication 7.1.2 Intrusion Protection 7.1.3 Physical Access 7.1.4 Backups 7.1.5 Auditing 7.1.6 Disaster Recovery 8. Telecommunication Systems 8.1.1 Authentication 8.1.2 Intrusion Protection 8.1.3 Physical Access 8.1.4 Auditing 8.1.5 Backups 8.1.6 Retention Policy 8.1.7 Disaster Recovery 9. Strategic Servers 9.1.1 Authentication 9.1.2 Intrusion Protection 9.1.3 Physical Access 9.1.4 Backups 9.1.5 Retention Policy 9.1.6 Auditing 9.1.7 Disaster Recovery 10. Legacy Systems 10.1.1 Authentication 10.1.1.1.1 Password Standards 10.1.2 Intrusion Protection 10.1.3 Physical Access 10.1.4 Backups 10.1.5 Retention Policy 10.1.6 Auditing 10.1.7 Disaster Recovery 11. Security Services and Procedures 11.1 Auditing 11.2 Monitoring 12. Security Incident Handling 12.1 Preparing and Planning for Incident Handling 12.2 Notification and Points of Contact 12.3 Identifying an Incident 12.4 Handling an Incident 12.5 Aftermath of an Incident 12.6 Forensics and Legal Implications 12.7 Public Relations Contacts 12.8 Key Steps 12.8.1.1.1 Containment 12.8.1.1.2 Eradication 12.8.1.1.3 Recovery 12.8.1.1.4 Follow-Up 12.8.1.1.5 Aftermath / Lessons Learned 12.9 Responsibilities 13. Ongoing Activities 13.1.1 Incident Warnings 13.1.1.1.1 Virus warnings 13.1.1.1.2 Intrusion Vulnerabilities 13.1.1.1.3 Security Patches 14. Contacts, Mailing Lists and Other Resources 15. References