LAST DAY to Save $350 on SANS Virginia Beach 2008! >> More Info
the most trusted source for computer security training, certification and research

The SANS Security Policy Project

Introduction to the SANS Security Policy Project

Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.

There is no cost for using these resources. They were compiled to help the people attending SANS training programs, but security of the Internet depends on vigilance by all participants, so we are making this resource available to the entire community.

Over the years a frequent request of SANS attendees has been for consensus policies, or at least policy templates, that they can use to get their security programs updated to reflect 21st century requirements. While SANS has provided some policy resources for several years, we felt we could do more if we could get the community to work together. This page provides a vastly improved collection of policies and policy templates.

It also offers a primer for those new to policy development and specific guidance on policies related to legal requirements such as the HIPAA guidelines.

This page will continue to be a work in-progress and the policy templates will be living documents. We hope all of you who are SANS attendees will be willing and able to point out any problems in the models we post. We also hope that you will share policies your organization has written if they reflect a different need from those provided here or if they do a better job of making the policies brief, easy to read, feasible to implement, and effective.

We'll make improvements and add new resources and sample policies as we discover them.

top^
About the Project Director

More than 1,000 security officers have learned how to manage the security process from Michele D. Guel. Her experience as a trusted senior security professional in the US government and in one of the nation's largest technology companies has provided a solid foundation for her courses. Over the years she has developed and implemented dozens of policies, but she is always open to new ways of approaching problems and new ways of improving security.

top^
Do You Have a Question Regarding Security Policies or Something to Contribute?

Announcing the SANS Policy Email Hotline. If you have a question regard security polices or want to share a sample policy or a resource site you feel worth of mention, send email to policies@sans.org.

top^
Is it a Policy, a Standard or a Guideline?

What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we'll use the following definitions.

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

top^
SANS Technology Institute White Paper Projects

SANS Technology Institute - Security Policy and Awareness course (MGT 524) students seeking a Master of Science in Information Security write white papers on various computer security topics.

March 2008

Mobile Device Encryption - Lost Laptops - Poster
- Eric Conrad
View Poster DOC (490KB)

Mobile Device Encryption - Policy
- Eric Conrad
View Policy DOC (48KB)

February 2008

Workstation Security - Policy
- Russell Meyer
View Policy DOC (52KB)

Workstation Security - Poster
- Russell Meyer
View Poster DOC (1.1MB)

November 2007

Responsible Web Use - Poster
- Kevin Bong
View Poster PDF (76KB)

Employee Internet Use Monitoring and Filtering Policy - Report
- Kevin Bong
View Report PDF (80KB)

Software Installation Policy - Poster
- John Brozycki
View Project Poster PDF (868KB)

Software Installation Policy - Report
- John Brozycki
View Project Report PDF (16KB)

November 2006

Server Malware Protection Policy
- Brian Granier
View Project PDF (24KB)

Not Everything is as it Seems - Poster
- Brian Granier
View Project PDF (288KB)

top^
What is all the hype on HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. From a HIPAA FAQ:

Passed in 1996, HIPAA is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans and information access control and encryption.

Complying with Security Standards

There are 18 information security standards in three areas that must be met to ensure compliance with the HIPAA Security Rule. The three areas are:

  • Administrative Safeguards: documented policies and procedures for day-to-day operations; managing the conduct of employees with electronic protected health information (EPHI); and managing the selection, development, and use of security controls.
  • Physical Safeguards: security measures meant to protect an organization's electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion.
  • Technical Safeguards: security measures that specify how to use technology to protect EPHI, particularly controlling access to it.
top^
Need a Primer on Security Policies?

Are you new to developing security policies? Do you need a refresher course or something to help you convince management of the need for policies? If so, check out the 30-page policy primer from Michele Guel's full day course "Proven Practices for Managing the Security Function." This course is one day of SANS most popular new certification program, the foundation program for Certified Information Security Officers.

Policy Primer (PDF)

Additional Resources:
top^
Need an Example Policy or Template?

SANS has received permission to provide sanitized security policies from a large organization. These policies were developed by a group of experienced security professionals with more than 80 years of combined experience in government and commercial organizations, and each policy went through a vigorous approval process. They should form a good starting point if you need one of these policies.

Some tips about these policies. Anything that is in <angle brackets> should be replaced with the appropriate name from your organization. The term "InfoSec" is used throughout these documents to refer the team of people responsible for network and information security. Replace "InfoSec" with the appropriate group name from your organization. Any policy name that is in italics is a reference to a policy that is also available on this site.

Acceptable Encryption Policy
Defines requirements for encryption algorithms used within the organization.
Acceptable Use Policy
Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information.
Analog/ISDN Line Policy
Defines standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computers.
Anti-Virus Process
Defines guidelines for effectively reducing the threat of computer viruses on the organization's network.
Application Service Provider Policy
Defines minimum security criteria that an ASP must execute in order to be considered for use on a project by the organization.
Application Service Provider Standards
Outlines the minimum security standards for the ASP. This policy is referenced in the ASP Policy above.
Acquisition Assessment Policy
Defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the information security group.
Audit Vulnerability Scanning Policy
Defines the requirements and provides the authority for the information security team to conduct audits and risk assessments to ensure integrity of information/resources, to investigate incidents, to ensure conformance to security policies, or to monitor user/system activity where appropriate.
Automatically Forwarded Email Policy
Documents the requirement that no email will be automatically forwarded to an external destination without prior approval from the appropriate manager or director.
Bluetooth Device Security Policy
This policy provides for more secure Bluetooth Device operations. It protects the company from loss of Personally Identifiable Information (PII) and proprietary company data.
Database Credentials Coding Policy
Defines requirements for securely storing and retrieving database usernames and passwords.
Dial-in Access Policy
Defines appropriate dial-in access and its use by authorized personnel.
DMZ Lab Security Policy
Defines standards for all networks and equipment deployed in labs located in the "Demilitarized Zone" or external network segments.
E-mail Policy
Defines standards to prevent tarnishing the public image of the organization.
E-mail Retention
The Email Retention Policy is intended to help employees determine what information sent or received by email should be retained and for how long.
Ethics Policy
Defines the means to establish a culture of openness, trust and integrity in business practices.
Extranet Policy
Defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement.
Information Sensitivity Policy
Defines the requirements for classifying and securing the organization's information in a manner appropriate to its sensitivity level.
Information System Audit Logging Requirements

In July 2006 SANS held its first ever Log Management Summit. One issue identified at the Summit is that it is difficult to ensure that all information systems generate appropriate audit logs and that those audit logs can be integrated with an enterprise's log management function.

This document attempts to address this issue by identifying specific requirements information systems must meet in order to generate appropriate audit logs and integrate with an enterprise's log management function.

The intention is that this language can easily be adapted for use in enterprise IT security policies and standards, and also in enterprise procurement standards and RFP templates. In this way, organizations can ensure that new IT systems, whether developed in-house or procured, support necessary audit logging and log management functions.

Internal Lab Security Policy
Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.
Internet DMZ Equipment Policy
Defines the standards to be met by all equipment owned and/or operated by the organization that is located outside the organization's Internet firewalls (the demilitarized zone or DMZ)).
Lab Anti-Virus Policy
Defines requirements which must be met by all computers connected to the organization's lab networks to ensure effective virus detection and prevention.
Password Protection Policy
Defines standards for creating, protecting, and changing strong passwords.
Personal Communication Device
Describes Information Security's requirements for Personal Communication Devices and Voicemail.
Remote Access Policy
Defines standards for connecting to the organization's network from any host or network external to the organization.
Removable Media Policy
Defines coverage of all computers and servers operating in an organization.
Remote Access - Mobile Computing and Storage Devices
To establish an authorized method for controlling mobile computing and storage devices that contain or access information resources.
Risk Assessment Policy
Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.
Router Security Policy
Defines standards for minimal security configuration for routers and switches inside a production network, or used in a production capacity.
Server Security Policy
Defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.
Server Malware Protection Policy
Outlines which server systems are required to have anti-virus and/or anti-spyware applications.
The Third Party Network Connection Agreement
Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization's network to the production network. This agreement must be signed by both parties.
VPN Security Policy
Defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.
Wireless Communication Policy
Defines standards for wireless systems used to connect to the organization's networks.
Wireless Communication Standard
Defines standards for wireless systems used to connect to the organization's networks.
top^
Information Security Policies Made Easy
1400 Pre-Written Security Policies Covering All ISO 17799 Domains
SEC508 :: Computer Forensics, Investigation, and Response

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT