General Security policy

This is a general example of a always good and better than nothing security policy. Tweak it to your needs.

PURPOSE

This policy assigns responsibility for the security of [YOUR COMPANY] data and information systems. Components of security include confidentiality, availability and integrity.

AUTHORITY

DEFINITIONS

Critical data

Data supporting critical functions (i.e., business processes. This data is so important that its loss or unavailability is unacceptable.

Information Security Program

The set of managerial, operational and technical controls instituted to protect the integrity, availability and, if needed, confidentiality of information and the technology resources used to enter, store, process, and communicate electronic information.

Information Technology Resources

Specific items such as telecommunications devices, computer systems, media, and other equipment, goods, services and personnel related to the collection, storage or transport of electronic information.

Sensitive Data

Non-public data subject to legal requirements (e.g., Federal or State privacy laws) or other privacy or compliance considerations, which define and regulate its responsible use. The university’s Policy 1205 - Data Stewardship defines two types of sensitive data: protected and highly confidential.

APPLICABILITY

This policy applies to all information collected and/or processed using information technology resources at [COMPANY]

POLICY

Data and information technology resources must be recognized as valuable and worthy of protection. Depending on the scope and nature of the information, constraints and special procedures for access and handling may be required.

PROCEDURES

In keeping with the responsibilities outlined above, departments and offices shall develop, manage and review local operating policies and procedures to create the proper security posture for sensitive or critical data created and stored locally and on centrally managed computer systems. Integrity constraints, procedures that ensure correct processing of correct data, shall be written as local procedure. Such procedures shall be reviewed as required.

RESPONSIBILITIES

SANCTIONS

Sanctions will be commensurate with the severity and/or frequency of offense and may include termination of employment or expulsion. In addition, violators may be subject to criminal and/or civil action.

EXCLUSIONS

None.

INTERPRETATION

Authority to interpret this policy rests with the president and is generally delegated to the assistant vice president for information technology and CIO.

Version ID

Version:

Approved by:

Previous version: