IT Policies List by Category and Importance
This document lists recommended IT policies by functional areas and importance. Importance to small, medium, and large businesses should be considered. After the policy name, the estimated importance is listed as (n-n-n). The first numeral indicates the importance to large businesses on a scale of 1-5 with 5 being the most important. The second and third list the importance to medium and small businesses respectively. The importance is based on a combination of possible risk and loss considering trends in what vulnerabilities attackers commonly use. Many policies are followed by small businesses but done in an informal way. Keep in mind that the importance will vary based on organizational needs and the perceived importance will vary based on a person's background and opinion. Importance scale is:
High Level Policy Creation Policy (5-5-4) - Defines responsibilities and requirements for policies including communication requirements.
High level Information System Security Policy (5-5-4) (Information Security Policy*) - Define who creates, maintains, how often plan is reassessed, benchmarks to measure security level. Someone should be designated to review new types of security threats for the organization.
Password Policy (4-4-3) - Rules for using passwords and required account settings. Applies to network administrators, system administrators, and users. Password complexity is more important than account expiration given the current state of computer security. Need password reset primarily if passwords are suspected compromised due to virus, trojan, or other security incident. Too stringent password reset without proper support and/or tools can decrease security by forcing users to violate policy and write passwords down.
Remote Access Policy - Provides requirements for remote access. Requirement for firewall between the network and internet covered by Perimeter Security Policy (5-5-5). Requirement for authorized work and no personal use.(3-3-2)
Computer Training Policy (4-4-4) - Provides training requirements for users and technical staff.
IT resource acceptable use (3-3-3)- Defines ownership of IT resources and improper use of IT resources.
User Privilege Policy (4-4-3) - Standardizes the privileges that users will have on their computers and the network.
Privacy and Confidentiality Policy (4-4-4) - Exclusive of Information Sensitivity Policy - Outlines requirements for the handling of data based on its security needs for internal staff and business partners. Much is redundant to the Information Sensitivity Policy. Requires user level access controls.
Account Management Policy (5-5-4) - Standardizes the methods used to create, modify, and remove accounts covering keys, property, access, and providing a process for adding and removing accounts. Access/removal to be authorized by the appropriate system owner, considering least privilege. Users to re-authenticate after system failure. Procedures provide for review to keep access mechanisms effective. Business users don't normally access test systems. User ID and access mechanism required for access to all systems. Systems provide minimal information about invalid login to user.
Employee Termination Policy (5-5-4) - Designed to prevent unauthorized access to resources by outlining timely methods of access and property control when employees or contractors leave the organization whether the seperation is voluntary or not.
Browser Configuration Policy (5-5-5) - Covers configuration of all internet browsers. This policy is very important to critical because it can prevent virus infections and thereby prevent loss of data. Its importance depends upon the criticality and sensitivity of the data in the organization.
Employee Background Screening policy (4-4-4) - Designed to prevent the employment of or allow access by an inelegible person who may be a security risk. This policy is important since it can prevent loss of data. Its importance depends upon the criticality and sensitivity of the data in the organization.
Logon Banner Policy (3-3-2) - Establishes organizational policy for all electronic systems capable of displaying system messages. Qualifying systems must display a warning that the system being accessed is an organizational system, and that access is for official use only. This policy is important to ensure that violators may be prosecuted.
Code of Ethics Policy (4-4-4) (supported by Code of Ethical Conduct) - Includes nondisclosure of sensitive information, confidentiality and conflict of interest statements. Contains organizational rights including the right to monitor and filter various content. Also list requirements to inform users that their content may be monitored or filtered.
Internet Connection Policy (5-5-5) - Describes how users can connect to the internet, prevents modems, wireless without approval. Prevents complete compromise of network integrity by not allowing rogue connections to the internet.
Approved Application Policy (5-5-5) - Installation of unapproved SW is not allowed. This policy is important since it can prevent loss of data due to trojans. Its importance depends upon the criticality and sensitivity of the data in the organization.
Wireless Communication Policy (5-5-5) - Defines the use of wireless devices in the organization and specifies how wireless devices shall be configured when used.
Network Documentation Policy (3-3-3) - Defines how the network structure and configuration is documented.
Network and Server Scanning Policy (4-4-3) - Designed to prevent system downtime due to adverse reactions to network scans while allowing for and requiring a minimum amount of vulnerability scanning to find and fix system security flaws. This is very important but does not replace or exceed the need for monitoring and proper server hardening exclusive of scans.
Perimeter Security Policy (5-5-5) - Defines how perimeter devices are managed. Covers process for changing firewall rules, forbiding bypassing of firewalls, monthly firewall penetration analysis, review of firewall policies, only specifically permitted inbound network traffic is allowed, traffic for managing the firewall must be secure. Require a firewall between internet and all networked devices. Require the firewall to be built on a system hardened with minimal services, must be immune to penetration and actively monitor for attacks based on pattern recognition. Require a DMZ for layered protection. Require firewall management logins to use strong authentication. No multihomed host may be connected across a firewall. Require audit trails of all traffic through the firewall. Require alarms to notify administrators when suspicious activity is detected. If applicable, subnetworks carrying data of various sensitivity levels should be isolated or protected from each other. Firewall backups should be to servers that are secure and on a secure network. Firewalls should be fully backed up before applying patches.
Internet DMZ Equipment Policy (5-4-3) - Describes or defines standards for equipment and services operating in the DMZ.
Router Security Policy (5-5-4) - Describes minimum configuration standards for all routers and switches connecting to the organizational network.
Telecommunications Communication Policy (4-4-4) - Describes standards of quality, testing, and physical security to ensure WAN performance and security. For ensuring the media is secure and tested periodically. Subnets with data of different security levels must be separate.
Surf Control Policy (4-4-4) (AKA Web Filtering Policy) - Defines several rules to be followed when implementing surf control and provides some recommendations to allow administrators to have flexibility in implementing surf control.
Asset Control Policy (4-4-4) - Defines how assets are tracked including how equipment movement from location to location is done. This can prevent loss of equipment or sensitive data.
Equipment and Media Disposal Policy (4-4-4) - Designed to protect organizational data on the equipment or media being removed from service.
Mobile Computer Policy and Mobile Device Policy (5-5-5) - Defines the use of mobile computers and devices in the organization. It is best to have all mobile and memory devices in one policy due to technology changes to be sure all are covered to prevent both network infection and data confidentiality.
IT Equipment Purchase and Failure Prevention Policy (5-5-5) - Provides a guideline for the purchase of IT equipment when the equipment supports organizational identified critical services.
Software Tracking Policy (4-4-4) - Defines responsibilities, requirements, and methods to ensure software is stored properly, made available to authorized personnel for authorized use, and that licensing is sufficient and legal.
Software Licensing Policy (4-4-4) - Defines responsibilities, requirements, and methods to ensure software licensing and copyright requirements are being met.
Intellectual Property Rights Policy (4-4-4) - Primarily covers software but may also apply to hardware where intellectual property is involved. The importance of this policy will vary depending on the type of business the organization conducts.
Virus Protection Policy (4-4-4) - Addresses anti-virus policy on every computer including how often a virus scan is done, how often updates are done, what programs will be used to detect, prevent, and remove malware programs.
Patch Management Policy (5-5-5) - Establishes a minimum process for protecting the organizational computers on the network from security vulnerabilities. Specifies how updates are done for both servers and workstations, and who is responsible for performing the updates along with specifying the tools used to perform system updates.
System Lockdown Policy (5-5-5) - Defines a general process that should be used to lock down servers and workstations.
Server Monitoring Policy (5-5-5) - Provides minimum requirements for monitoring servers including regular review of logs (audit trails) and applications/services that may go down.
Backup and Recovery Policy (5-5-5) - Defines the backup policy for computers within the organization which are expected to have their data backed up.
Server Documentation Policy (4-4-4) - Defines the level of server documentation required such as configuration information and services that are running.
Computer and Printer Naming Policy (4-4-4) - Defines the requirements for the naming of servers, printers, and other devices on the network.
IP Address Assignment Policy (4-4-4) - Required to provide network security and stability by preventing the use of unauthorized devices such as wireless devices without authorization and by preventing network address conflicts.
Audit Trail Policy (5-5-5) - Provides guidance about the events to be logged, how long logs should be retained, and what access to logs should be granted.
Authentication Mechanism Policy (5-5-5) - An internal IT policy which provides minimum authentication requirements and guidance about what authentication mechanisms can be used on computing devices.
Computer Center Operations Policy (5-5-5) - Provides minimum standards for hosting servers in organizational hosting centers including physical security, request for change to networking, power, air, etc.
Computer Forensics Policy (5-5-5) - Ensures a proper process is followed for investigations and that the users are aware of simple computer forensic issues.
Server Security Policy (5-5-5) - Provides basic and minimum standards of configuration and control for servers and network equipment.
Workstation Configuration Policy (5-5-5) - Provide basic and minimum standards of configuration and control for workstations including anti-virus, warning banner, definition of system configuration settings including showing file extensions when browsing the local computer, etc.
Email Policy (5-5-5) - Provides minimum standards of configuration and control for E-mail including email server virus protection, allowed network location of servers, server backup requirements, and blocked file types.
System Availability Policy (5-5-5) - Links business requirements to system hosting requirements 24/7, etc.
Server setup and Configuration Policy (5-5-5) - Ensure servers that are purchased have the capacity to handle the demands placed on them and that their configuration properly supports the business processes in a secure manner.
Certification and Accreditation Policy (4-4-3) - Specifies when and how systems and servers will be certified and accredited. Ensures the proper and secure operation of servers and ensures that the business need is being met. It will also ensure that the business managers are aware of associated risks. If the proper project management process is being followed and the server setup, maintenance, monitoring, patch management, virus protection, and associated policies are followed, this policy has less impact.
Data Classification Policy (5-5-5) - Specifies how information/data is classified into sensitivity categories. Many businesses fail to do this so they cannot properly protect their data.
Information Sensitivity Policy (5-5-5) - Defines how information is stored and transmitted based on sensitivity. Includes destruction.
Risk Assessment Policy (4-4-3) - Specifies how to identify risk in order to remediate it. The importance of this policy will directly correlate to how well other policies are followed. If server maintenance policies are followed along with disaster recovery and business continuity policies and other service supporting policies are followed, risks are automatically reduced.
Database Passwords Policy (5-5-5) - Ensures security of accounts used to access databases in order to protect the security of the data stored in them.
Encryption Policy (5-5-5) - Sets use of encryption to proven and secure encryption mechanisms to ensure that all information or data is properly encrypted based on its sensitivity classification.
Application Implementation Policy (5-5-5) - Used to assess the security impact of new applications and be sure they are tested properly.
Incident Response Policy (5-5-5) - Defines requirements for responses to incidents and provides procedure requirements for informing the correct personnel.
Intrusion Detection Policy (4-4-3) - Specifies how intrusion detection shall be used on the organizational network.
Disaster Recovery Policy (4-4-4) - Provides guidance and standards to be used in developing disaster recovery plans, business contingency plans, business continuity plans, and the process of recovering from a disaster. Importance of this policy is related to the risk of the business depending on the chance of a disaster and the type of business.
Third Party Identity Policy (4-4-4) - Specifies the requirements for third party organizations to work on projects for the organization including requirements for identifying third parties that connect electronically.
Physical Security Policy (4-4-4) - Specifies methods used to physically protect organizational computer systems and who is responsible for implementing methods used.
Extranet Policy - Used to control access from external partners and contractors (any third party organizations).
IT Steering Committee Policy (5-5-5) - Determines how new threats are reviewed and new technologies are reviewed and re-acted to by the enterprise. Will align and structure IT resources and divisions.
Insurance Purchase Policy (4-4-4) - Used to determine when to purchase insurance in conjunction with risk reviews for possible disasters or loss of business continuity.
Segregation of Duties Policy (4-4-4) - Requires that multiple employees be required to perform duties where opportunity for profit or abuse could occur by one individual if that individual had the ability to perform specific tasks.
Change Management Policy (4-4-4) - Requires that changes to systems and software are coordinated and logged to prevent duplication of effort or conflict.
Auditing Periodic auditing is performed to check for unauthorized software - list things that must be audited.
Security Controls Review Policy (may need written) (3-3-3) - Requires periodic review of security controls. security-controls-review-policy
Auditing Policy (5-4-3) - Specifies auditing done regularly to be sure security guidelines and policies are being followed. Larger organizations may tend to need this more since there is more specialization of duties.
Third party IT Service Policy (5-5-5) - Describes requirements for third party vendors to meet in order to sell services to the enterprise such as web hosting.
Software Standards Policy (5-5-5 depending on quality and security needs) - Applies to all programmers including third parties. It is designed to ensure the quality of software generated by, generated for, and used by the organization.
Business Continuity Policy (5-5-5) - Should provide information and requirements for continuity plans for critical systems. - large subject which should be done separately - under development* Can specific plans be defined defining positional responsibilities for different limited sizes and types of businesses?
Development Life Cycle Policy (5-5-5) - Intended to ensure applications, systems, and services are properly designed. Security must be involved from the start of the project. - A large set of documents in its own folder under development*.
Technology and System Management Policy (4-4-4) - Used to manage new systems and network capability, upgrade systems, and implement new technologies.
Preventative Maintenance Policy (4-4-4) - Used to determine how, when, and what equipment will be maintained with preventative maintenance schedules or contracts.
Technology Planning Policy (4-4-4) - Provides management framework for plan (short and long term) creation and maintenance for Information Technology and its management establishing roles, performance measurement, etc. Provides for the creation and management of an organizational data dictionary. Can be used to phase in new technologies such as increased networking use of fiber optics.
Acquisition and Maintenance Policy (5-4-3) - Provides policy to keep acquisition and maintenance activities in line with planned technology infrastructure.
Configuration Management Policy (5-5-4) (Change Management is part of Configuration Management) - Designed to help management manage IT configuration and structure to best satisfy the business needs.
Contracting Policy (5-5-4) - Requires that all third party services are identified and documented. It requires that third party services meet quality requirements and that contracts require quality standards. It requires assignment of roles and responsibilities for for monitoring third party services, managing relationships, and managing contracts
Supplier Policy - (5-5-4) (Procurement Policy) - Ensures third party goods meet quality requirements and deliveries are timely.
Cost Management Policy - (5-4-3) Ensure that costs of information technology are controlled based upon the business requirement and costa are tracked and identified.
Communication Policy (5-5-5) - Ensures that policies are adequately communicated to staff.
IT Organizational Policy (5-5-5) - Outlines and defines an effective IT structure ensuring the information technology function is properly lead, funded, and structured to meet organizational needs.
IT Budget Policy (4-4-3) - Requires that roles and responsibilities are defined for budgeting, risks are identified, and the budget is monitored.
IT Human Resource Policy (5-5-4) - Policy for recruiting and promoting IT staff
External Requirements Policy (5-5-4) - Policy to ensure that the organization complies with applicable laws, contracts, etc.
Customer Support Policy (5-5-4) - Establishes help desk and operations including contacts, escalation, and record keeping.
Emergency Access Policy (4-4-4) - Ensures security is kept in place during emergencies and adequate preparation helps minimize the impact of emergencies.
Service Level Policy (4-3-2) - **needs an example and needs reviewed (Add related policies) ** - Who creates agreement, Management defines functions. Service quality manager job role needs defined
Service Monitoring Policy (4-3-2) - Requires a quality assurance plan to be developed and enforced along with quality standards. It requires that quality is measured where possible, reviewed, and improved upon where possible
Internal Controls Policy (4-3-2) - Requires that internal controls are effectively monitored and improved to maximize their effectiveness and meet their purpose.
Service Reliability and Continuity Policy (5-4-3) - Designed to help management ensure reliable and continuous service.
Service Quality Policy (4-4-3) - Designed to allow management to monitor and manage the quality of service.
Quality Policy (4-3-2) - A general quality policy that requires that a quality assurance plan is developed and enforced along with quality standards. It requires that quality is measured where possible, reviewed, and improved upon where possible