IT Policies List by Category

This page lists recommended IT policies by functional areas. The policies do not need to have the same names but overall functionality should be covered by the policies your organization has. This page sometimes mentions standards or procedures along with the policy. They may be included in the same document but are normally referenced by the policy and are separate documents.

High Level Policies

  1. High Level Policy Creation Policy - Defines responsibilities for policies. Defines requirements for policies such as what must be included.
  2. High level Information System Security Policy - Define who creates, maintains, how often plan is reassessed, benchmarks to measure security level. Someone should be designated to review new types of security threats for the organization.

User Policies

  1. Password Policy - Rules for using passwords and required account settings. Applies to network administrators, system administrators, and users.
  2. Remote Access Policy - Provides requirements for remote access.
  3. Computer Training Policy - Provides training requirements for users and technical staff.
  4. IT Acceptable Use - Defines ownership of IT resources and improper use of IT resources.
  5. User Privilege Policy - Standardizes the privileges that users will have on their computers and the network.
  6. Privacy and Confidentiality Policy - Outlines requirements for the handling of data based on its security needs for internal staff and business partners.
  7. Account Management Policy - Standardizes the methods used to create, modify, and remove accounts covering keys, property, access, and providing a process for adding and removing accounts. Access/removal to be authorized by the appropriate system owner, considering least privilege. Users to re-authenticate after system failure. Procedures provide for review to keep access mechanisms effective. Business users don't normally access test systems. User ID and access mechanism required for access to all systems. Systems provide minimal information about invalid login to user.
  8. Employee Termination Policy - Designed to prevent unauthorized access to resources by outlining timely methods of access and property control when employees or contractors leave the organization whether the seperation is voluntary or not.
  9. Browser Configuration Policy - Covers configuration of all internet browsers.
  10. Employee Background Screening Policy - Designed to prevent the employment of or allow access by an ineligible person who may be a security risk.
  11. Logon Banner Policy - Establishes organizational policy for all electronic systems capable of displaying system messages. Qualifying systems must display a warning that the system being accessed is an organizational system, and that access is for official use only.
  12. Code of Ethics Policy (supported by Code of Ethical Conduct) - Includes nondisclosure of sensitive information, confidentiality and conflict of interest statements.

Network Policies

  1. Internet Connection Policy - Describes how users can connect to the internet, prevents modems, wireless without approval
  2. Approved Application Policy - Installation of unapproved SW is not allowed to prevent the installation of unsecure software or malware on devices on the network.
  3. Wireless Communication Policy - Defines the use of wireless devices in the organization and specifies how wireless devices shall be configured when used.
  4. Network Documentation Policy - Defines how the network structure and configuration is documented.
  5. Network and Server Scanning Policy - Designed to prevent system downtime due to adverse reactions to network scans while allowing for and requiring a minimum amount of vulnerability scanning to find and fix system security flaws.
  6. Perimeter Security Policy - Defines how perimeter devices are managed. Covers process for changing firewall rules, forbiding bypassing of firewalls, monthly firewall penetration analysis, review of firewall policies, only specifically permitted inbound network traffic is allowed, traffic for managing the firewall must be secure. Require a firewall between internet and all networked devices. Require the firewall to be built on a system hardened with minimal services, must be immune to penetration and actively monitor for attacks based on pattern recognition. Require a DMZ for layered protection. Require firewall management logins to use strong authentication. No multihomed host may be connected across a firewall. Require audit trails of all traffic through the firewall. Require alarms to notify administrators when suspicious activity is detected. If applicable, subnetworks carrying data of various sensitivity levels should be isolated or protected from each other. Firewall backups should be to servers that are secure and on a secure network. Firewalls should be fully backed up before applying patches.
  7. Internet DMZ Equipment Policy - Describes or defines standards for equipment and services operating in the DMZ.
  8. Router Security Policy - Describes minimum configuration standards for all routers and switches connecting to the organizational network.
  9. Telecommunications Communication Policy - Describes standards of quality, testing, and physical security to ensure WAN performance and security. For ensuring the media is secure and tested periodically. Subnets with data of different security levels must be separate.
  10. Surf Control Policy (AKA Web Filtering Policy) - Defines several rules to be followed when implementing surf control and provides some recommendations to allow administrators to have flexibility in implementing surf control.

Equipment Control Policies

  1. Asset Control Policy - Defines how assets are tracked including how equipment movement from location to location is done.
  2. Equipment and Media Disposal Policy - Designed to protect organizational data on the equipment or media being removed from service.
  3. Mobile Computer Policy and Mobile Device Policy - Defines the use of mobile computers and devices in the organization. It is best to have all mobile and memory devices in one policy due to technology changes to be sure all are covered to prevent both network infection and data confidentiality.
  4. IT Equipment Purchase and Failure Prevention Policy - Provides a guideline for the purchase of IT equipment when the equipment supports organizational identified critical services.
  5. Software Tracking Policy - Defines responsibilities, requirements, and methods to ensure software is stored properly, made available to authorized personnel for authorized use, and that licensing is sufficient and legal.
  6. Software Licensing Policy - Defines responsibilities, requirements, and methods to ensure software licensing and copyright requirements are being met.
  7. Intellectual Property Rights Policy - Primarily covers software but may also apply to hardware where intellectual property is involved.

System Protection Policies

  1. Virus Protection Policy - Addresses anti-virus policy on every computer including how often a virus scan is done, how often updates are done, what programs will be used to detect, prevent, and remove malware programs.
  2. Patch Management Policy - Establishes a minimum process for protecting the organizational computers on the network from security vulnerabilities. Specifies how updates are done for both servers and workstations, and who is responsible for performing the updates along with specifying the tools used to perform system updates.
  3. System Lockdown Policy - Defines a general process that should be used to lock down servers and workstations.
  4. Server Monitoring Policy - Provides minimum requirements for monitoring servers including regular review of logs (audit trails) and applications/services that may go down.
  5. Backup and Recovery Policy - Defines the backup policy for computers within the organization which are expected to have their data backed up.
  6. Server Documentation Policy - Defines the level of server documentation required such as configuration information and services that are running.
  7. Computer and Printer Naming Policy - Defines the requirements for the naming of servers, printers, and other devices on the network.
  8. IP Address Assignment Policy - Required to provide network security and stability by preventing the use of unauthorized devices such as wireless devices without authorization and by preventing network address conflicts.
  9. Audit Trail Policy - Provides guidance about the events to be logged, how long logs should be retained, and what access to logs should be granted.
  10. Authentication Mechanism Policy - An internal IT policy which provides minimum authentication requirements and guidance about what authentication mechanisms can be used on computing devices.
  11. Computer Center Operations Policy - Provides minimum standards for hosting servers in organizational hosting centers including physical security, request for change to networking, power, air, etc.
  12. Computer Forensics Policy - Ensures a proper process is followed for investigations and that the users aware of simple computer forensic issues.
  13. Server Security Policy - Provides basic and minimum standards of configuration and control for servers and network equipment.
  14. Workstation Configuration Policy - Provide basic and minimum standards of configuration and control for workstations including anti-virus, warning banner, definition of system configuration settings including showing file extensions when browsing the local computer, etc.
  15. Email Policy - Provides minimum standards of configuration and control for E-mail including email server virus protection, allowed network location of servers, server backup requirements, and blocked file types.
  16. System Availability Policy - Links business requirements to system hosting requirements 24/7, etc.
  17. Server Setup and Configuration Policy - Ensure servers that are purchased have the capacity to handle the demands placed on them and that their configuration properly supports the business processes in a secure manner.
  18. Certification and Accreditation Policy - Specifies when and how systems and servers will be certified and accredited. Ensures the proper and secure operation of servers and ensures that the business need is being met. It will also ensure that the business managers are aware of associated risks.

Data Protection Policies

  1. Data Classification Policy - Specifies how information/data is classified into sensitivity categories.
  2. Information Sensitivity Policy - Defines how information is stored and transmitted based on sensitivity. Includes destruction.
  3. Risk Assessment Policy - Specifies how to identify risk in order to remediate it.
  4. Database Passwords Policy - Ensures security of accounts used to access databases in order to protect the security of the data stored in them.
  5. Encryption Policy - Sets use of encryption to proven and secure encryption mechanisms to ensure that all information or data is properly encrypted based on its sensitivity classification.
  6. Application Implementation Policy - Used to assess the security impact of new applications.

General Security Policies

  1. Incident Response Policy - Defines requirements for responses to incidents and provides procedure requirements for informing the correct personnel.
  2. Intrusion Detection Policy - Specifies how intrusion detection shall be used on the organizational network.
  3. Disaster Recovery Policy - Provides guidance and standards to be used in developing disaster recovery plans, business contingency plans, business continuity plans, and the process of recovering from a disaster.
  4. Third Party Identity Policy - Specifies the requirements for third party organizations to work on projects for the organization including requirements for identifying third parties that connect electronically.
  5. Physical Security Policy - Specifies methods used to physically protect organizational computer systems and who is responsible for implementing methods used.
  6. Extranet Policy - Used to control access from external partners and contractors (any third party organizations).
  7. IT Steering Committee Policy - Determines how new threats are reviewed and new technologies are reviewed and re-acted to by the enterprise. Will align and structure IT resources and divisions.
  8. Insurance Purchase Policy - Used to determine when to purchase insurance in conjunction with risk reviews for possible disasters or loss of business continuity.
  9. Segregation of Duties Policy - Requires that multiple employees be required to perform duties where opportunity for profit or abuse could occur by one individual if that individual had the ability to perform specific tasks.

Auditing Policies

Periodic auditing is performed to check for unauthorized software and adherence to policies.
  1. Security Controls Review Policy - Requires periodic review of security controls.
  2. Auditing Policy - Specifies auditing done regularly to be sure security guidelines and policies are being followed.

Contracting and Software Development Policies

  1. Third party IT Service Policy - Describes requirements for third party vendors to meet in order to sell services to the enterprise such as web hosting.
  2. Software Standards Policy - Applies to all programmers including third parties. It is designed to ensure the quality of software generated by, generated for, and used by the organization.
  3. Software Standards Specification - This is a document which specifies the organizational quality standards and methodologies for software functions.

Business Protection Policies

  1. Business Continuity Policy - Requires plans be in place and dested to ensure continuity of operation for critical systems and business processes after a disaster.

Management Policies

  1. System Change Management Policy - Used to manage changes to systems and be sure the appropriate people are notified when changes are made.
  2. Software Change Management Policy - Used to manage changes to software and be sure the appropriate people are notified when changes are made. Software changes have a nature different than system changes and need to be managed differently.
  3. Technology and System Management Policy - Used to manage new systems and network capability, upgrade systems, and implement new technologies.
  4. Preventative Maintenance Policy - Used to determine how, when, and what equipment will be maintained with preventative maintenance schedules or contracts.
  5. Technology Planning Policy - Provides management framework for plan (short and long term) creation and maintenance for Information Technology and its management establishing roles, performance measurement, etc. Provides for the creation and management of an organizational data dictionary.
  6. Acquisition and Maintenance Policy - Provides policy to keep acquisition and maintenance activities in line with planned technology infrastructure.
  7. Configuration Management Policy - Designed to help management manage IT configuration and structure to best satisfy the business needs.
  8. Contracting Policy - Requires that all third party services are identified and documented. It requires that third party services meet quality requirements and that contracts require quality standards. It requires assignment of roles and responsibilities for for monitoring third party services, managing relationships, and managing contracts
  9. Supplier Policy - (AKA Procurement Policy) - Ensures third party goods meet quality requirements and deliveries are timely.
  10. Cost Management Policy - Ensure that costs of information technology are controlled based upon the business requirement and costa are tracked and identified.
  11. Communication Policy - Ensures that policies are adequately communicated to staff.
  12. IT Organizational Policy - Outlines and defines an effective IT structure ensuring the information technology function is properly lead, funded, and structured to meet organizational needs.
  13. IT Budget Policy - Requires that roles and responsibilities are defined for budgeting, risks are identified, and the budget is monitored.
  14. IT Human Resource Policy - Policy for recruiting and promoting IT staff
  15. External Requirements Policy - Policy to ensure that the organization complies with applicable laws, contracts, etc.
  16. Development Life Cycle Policy - Intended to ensure applications, systems, and services are properly designed. Security must be involved from the start of the project.

Operational Policies

  1. Customer Support Policy - Establishes help desk and operations including contacts, escalation, and record keeping.
  2. Emergency Access Policy - Ensures security is kept in place during emergencies and adequate preparation helps minimize the impact of emergencies.
  3. Service Level Policy - Defines who creates the service level agreement. Management defines functions.
  4. Service Monitoring Policy - Requires a quality assurance plan to be developed and enforced along with quality standards. It requires that quality is measured where possible, reviewed, and improved upon where possible
  5. Internal Controls Policy - Requires that internal controls are effectively monitored and improved to maximize their effectiveness and meet their purpose.
  6. Service Reliability and Continuity Policy - Designed to help management ensure reliable and continuous service.
  7. Service Quality Policy - Designed to allow management to monitor and manage the quality of service.
  8. Quality Policy - A general quality policy that requires that a quality assurance plan is developed and enforced along with quality standards. It requires that quality is measured where possible, reviewed, and improved upon where possible