General Security policy#

This is a general example of a always good and better than nothing security policy. Tweak it to your needs.


This policy assigns responsibility for the security of [YOUR COMPANY] data and information systems. Components of security include confidentiality, availability and integrity.



Critical data#

Data supporting critical functions (i.e., business processes. This data is so important that its loss or unavailability is unacceptable.

Information Security Program#

The set of managerial, operational and technical controls instituted to protect the integrity, availability and, if needed, confidentiality of information and the technology resources used to enter, store, process, and communicate electronic information.

Information Technology Resources#

Specific items such as telecommunications devices, computer systems, media, and other equipment, goods, services and personnel related to the collection, storage or transport of electronic information.

Sensitive Data#

Non-public data subject to legal requirements (e.g., Federal or State privacy laws) or other privacy or compliance considerations, which define and regulate its responsible use. The university’s Policy 1205 - Data Stewardship defines two types of sensitive data: protected and highly confidential.


This policy applies to all information collected and/or processed using information technology resources at [COMPANY]


Data and information technology resources must be recognized as valuable and worthy of protection. Depending on the scope and nature of the information, constraints and special procedures for access and handling may be required.


In keeping with the responsibilities outlined above, departments and offices shall develop, manage and review local operating policies and procedures to create the proper security posture for sensitive or critical data created and stored locally and on centrally managed computer systems. Integrity constraints, procedures that ensure correct processing of correct data, shall be written as local procedure. Such procedures shall be reviewed as required.



Sanctions will be commensurate with the severity and/or frequency of offense and may include termination of employment or expulsion. In addition, violators may be subject to criminal and/or civil action.




Authority to interpret this policy rests with the president and is generally delegated to the assistant vice president for information technology and CIO.

Version ID#


Approved by:

Previous version: