Defines acceptable use of IT equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information. [MS Word]

Defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group. [MS Word]

Defines policy for analog/ISDN lines used for FAXing and data connections.

Requirements for effective virus detection and prevention. Written for a laboratory environment but easy to adapt for other settings. [MS Word]

Security criteria for an ASP.

Defines requirements and provides authority for the information security team to conduct IT audits and risk assessments.

Sample policy from the University of North Carolina requires daily, weekly and monthly backups (sometimes known as 'grandfather, father, son').

Sample policy requires a cycle of daily and weekly backups (monthly backups are also advisable).

High level information security policy from Washington University.

An overarching security policy from Berkeley University includes links to more specific and detailed policies.