How to create a great security policy template!


I was looking back at some of my very early policy that I wrote back in 2004. After reviewing some of my initial policy, I realized that creating a good policy can be a hard thing to perform correctly the first time.   I decided to help people new to policy writing by outlining a template of what is needed to get started.  All of the items in my list below are things that could be in the template in an order that makes sense to you.  The best first step is to create your template, review it, have someone you trust review it, then use it consistently for all of the policy documents.  You can always fix it next year when you are reviewing all of your policy documents.

Policy and Procedure what should you include.

Policy and Procedure what should you include in your documentation

First thing first:

Work with your marketing department or whomever has your companies standard template. It should include your company logo, the name of the document and a page number.  These items can be in the header or the footer.

Title of the Policy:

Make the title descriptive enough to find it again later, and is appropriate for the application(s) you had in mind.

Purpose:

A short paragraph that sums up the policy.

Table of Contents:

Allows for quick access to the rest of the document.

Definitions:

Define any abbreviations here.  Also put definitions of items like Upper Management, Security Admin, IT Manager, Employees.  use standard definitions across all policy and put the definitions in alphabetical order.  I like to keep a single document with all the definitions that I have created in one locations for future reference.

Controls:

What type of security controls will be utilized with this policy?

Authority:

Under whose authority does the policy issue from.  Normally this would be an IT Manager (small – mid size business) or a Security Manager.  Whatever authority this is issued from needs to have the authority issued to them by the board or owner of the company.

Responsibilities:

What are the responsibilities of the employees, managers, visitors, etc.

References:

Reference any external material, other policy.  This is the place that I reference specific procedures to follow or forms that are needed that go with the policy.

Prerequisites:

What does a reader need to do before the policy is able to be executed?

Details:

List the details of the policy here.

Enforcement:

What happens when the policy is not followed?  That verbiage goes here, it usually involves disciplinary action and usually termination of employment is allowed.

Author:

Person or persons who wrote the policy.

Review & Approval:

Who reviewed and who approved the policy

Attachments:

List other documents here that are applicable

Version History

Policies need to be version-ed, most security regulations require keeping a number of years of history.  This means keeping all versions of the security policies.

Applicable Standards/RegulationsOptional – If you are following a specific set of security regulations, it is very helpful to list out the regulations that are supported by the policy.  This is used after all the policy has been written to see if the regulations have all been satisfied.

AppendicesOptional – If external documents are not created, the documents can be created as appendices of the policy.

Location – Optional Document where the policy is stored, useful when it has been printed.