You are here: Home Security Sample Security Policy
Print

Sample Security Policy

Details
Category: Security
Published on Monday, 15 August 2011 19:34
Written by Kinda Strange
Hits: 261

The Information Security Policy is intended to help employees determine the proper usage of company IT assets, sensitivity of information, risk assessment, and proper disclosure protocols. 

Company information is to be categorized into the main classifications of public and confidential.  Information is to default to the confidential classification.  Public information has been approved and properly authorized and can thus be provided to the general public.  All other information is to be considered confidential.  Confidential information will be further divided into different security levels.  If an employee is uncertain as to the sensitivity level of a piece of information, he/she should contact their manager. 

Employees are not to provide information to other employees that may not be authorized to view that level of information.  Confidential information is only to be stored in the approved manner in a location to which the general public does not have access.  Confidential information is to be disposed of in the specially marked bins to be destroyed.  Electronic information is to be erased in accordance with the approved IT policy, or be physically destroyed.

Confidential information is not to be sent via any protocol other than the approved company provided electronic mail or the interoffice envelopes marked ‘confidential’.  Electronic information is to be encrypted in accordance with the accepted encryption policy.  Files containing confidential and/or sensitive data may not be stored in personal communication devices unless protected by approved encryption.

Employees are to protect their user authorization information.  Under no circumstances is an employee to use his or her user authorization to allow another to access the system or facilities.  User authorization hardware is to be kept in a secured location.  Log-ins and user passwords are to be kept secure and are not to be shared.  Employees are to log-out of a computer whenever the computer is no longer under their sole and direct control.

 Company assets such as computers and phones are to be used for business purposes only.  Nothing is to be downloaded or installed on company assets without approval from an authorized member of the IT department.   It is forbidden to visit websites outside of the approved sites while on company time and/or using company assets.  Secure Internet access points and networks are to be used with company assets.  If a company asset is not in the physical possession of an authorized employee, it is to be locked in an unusable state and rendered immobile.  Portable computers are to use the special authorized keys and must be properly secured when not in use. 

Any employee found to have violated this policy may be subject to disciplinary action, including termination of employment and legal action.