Security Policies Library Updated: 29 May 2025
Got to Know The Security Policies / Security Rules Before You Break Them
Ol’ Security Policies. I have worked with, read many, edited many, audited reams of them, written from scratch, maybe even violated a few, investigated countless, and trained on countless sets of security rules and policies, in all types of organizations around the world. The most common title of these sets of rules is “our Security Policy”, which I promote this term in my security governance training, but to help all types of organizations that have struggled with these types of rules/policies, I am going back to 3rd grade and just call them, “rules.” for now. If your organization decides to call them “Rules” or “Policies” or “Requirements” or _____, your call, just make sure its a term that fits the culture and is a enforcable. It is about accountability of “I”, the individual human reading them, that they understand and will follow…..
I can’t tell you how many times I have seen rules/policies that, some of which I helped write, were close to impossible to determine who (individually) was accountable.
They read like a company was writing to a company and not to an individual.
The ones below and in the future are my attempts to 1. Provide a free resource to people that have little or no rules/policies or resources to make them, and 2. provide a new direction for industry security rules / security policies that is written from the organization to the individuals to mature to maximum accountability. Determining who is accountable comes in the form of a RACI exercise that is independent of these rules/policies. Ultimately, it’s the CEO-level person if no one else is assigned, but guess what, the CEO-level person should be equally accountable and sign these same documents.
This collection is not meant to cover every need, but will support any size organization (NGO to SMB to Fortune ### to Government), it is meant to simplify these rules/policies into literally one page and hyper-focus on individual accountability. Yes, you will have some overlap as some organizations only need specific documents vs. all of them.
Before Governance, Mission and Culture Reign, BUT without Governance, Mission and Culture can be destroyed with just one incident
Good Luck, and if we can be of service to help you enhance these documents or help you with implementation, we would be honored to service you and your organization.
Note I am using ChatGPT for the DESCRIPTIONS of these security policies only, the actual security policies do not use any (Gen) AI, they are all based on my real world and practical experience. Unless something thinks my intelligence is artificial…. Hey no comment from my friends and family.
Jim McConnell
info@askmcconnell.com
Ask McConnell, LLC
https://askmcconnell.com
The Security Commitment
Updated: 20 March 2025
An example agreement between the organization and the individual about these rules and policies and the consequences
Security Policies
Personnel Security
Updated: 20 March 2025
The policy linked above explains how we protect the organization through strong personnel security practices. It covers hiring, access, and conduct requirements. These measures help reduce insider threats and protect sensitive information. The policy applies to all staff, contractors, and temporary workers.
Physical Security
Updated: 13 April 2025
The policy linked above explains how we protect our buildings, equipment, and people through strict physical security measures. It includes detailed rules for access, safety, and emergency situations. These controls help prevent unauthorized entry and protect company assets. The policy applies to all employees, visitors, and contractors.
User IDs / Login IDs – Cyber / Information Security
Updated: 20 March 2025
The policy linked above explains how we manage User IDs and Logon IDs to protect access to our systems and data. It includes strict rules to ensure only authorized users can log in. This helps prevent misuse and keeps information safe. The policy applies to all employees and system users.
Supply Chain Security
Updated: 05 April 2025
The policy linked above explains how we protect our supply chain from security risks and disruptions. It includes strict rules and controls to keep products, services, and data safe. The policy applies to all vendors, partners, and internal teams. It helps ensure every part of the supply chain is secure and reliable.
Technology Software Security Updates
Updated: 20 March 2025
The policy linked above explains how we manage software updates to keep our systems safe and secure. It outlines strict rules for keeping software current and protected against threats. All updates are handled quickly and carefully to reduce risks. This policy is part of our overall effort to protect company technology.
Fraud Management
Updated: 06 April 2025
The policy linked above explains how our organization detects, manages, and responds to fraud. It includes strong measures to prevent dishonest activity. This policy applies to all employees, contractors, and business partners. It supports a safe and trustworthy work environment for everyone.
Reporting Security Incidents, Vulnerabilities, Threats
Updated: 21 March 2025
The policy linked above explains how we handle reporting of security incidents, threats, and vulnerabilities across the organization. It includes clear steps for identifying and reporting issues quickly. The policy applies to all employees, contractors, and partners. Early reporting helps reduce risk and protect our systems.
Weapons and Security
Updated: 22 March 2025
The policy linked above explains our strict rules regarding weapons on company property and at work events. It lays out who may carry weapons, where, and when, with strong controls to keep everyone safe. This policy applies to employees, contractors, and visitors at all sites.
Engaging Security for New Projects/New Events
Updated: 21 March 2025
The policy linked above explains when and how to involve security in new projects and events. It ensures that risks are reviewed early and properly managed. This policy applies to all departments planning new work or activities. Involving security helps protect people, data, and property from the start.
Non-Public Information Security (Including PII)
Updated: 31 March 2025
The policy linked above explains how we protect non-public information across all areas of the organization. It includes strict rules for handling, sharing, and storing sensitive data. This policy applies to all employees, contractors, and partners. Protecting non-public information helps prevent data leaks and supports trust.
Social Media Usage
Updated: 24 March 2025
The policy linked above explains how social media use is managed to protect the company’s image, data, and employees. It includes clear guidelines for what is appropriate to share online. This policy applies to all employees using social media for work or personal use. It helps reduce risk and supports responsible communication.
Security Investigations
Updated: 23 March 2025
The policy linked above explains how the company conducts security investigations when issues or concerns are reported. It includes strict procedures to ensure fair and thorough reviews. This policy applies to all employees, contractors, and work locations. Investigations help protect people, property, and information from harm.
Email Security
Updated: 25 March 2025
The policy linked above explains how email is protected to keep company information secure and prevent cyber threats. It includes strong rules for using email safely at work. This policy applies to all employees and anyone using company email systems. It helps prevent data loss, phishing, and other risks.
Laptop/Desktop/Mobile Device Security
Updated: 06 April 2025
The policy linked above explains how laptops, desktops, and mobile devices are secured to protect company data and systems. It includes strict requirements for device use, access, and protection. This policy applies to all employees and anyone using company devices. It helps reduce risks like data loss or theft.
Onsite/Offsite Event Security
Updated: 06 April 2025
The policy linked above explains how security is managed for events held both onsite and offsite. It includes strong guidelines to protect people, property, and information during all events. This policy applies to employees, guests, and vendors involved in any company event. It helps ensure events are safe and well-controlled.
Supplier / Customer Due Diligence
Updated: 23 March 2025
The policy linked above explains how we evaluate suppliers and customers to reduce security and business risks. It includes strong procedures for reviewing and verifying business partners. This policy applies to all teams involved in selecting or managing suppliers and customers. It helps protect company operations and reputation.
Retail Loss Prevention
Updated: 06 April 2025
The policy linked above explains how the company prevents loss in retail operations through strong security measures. It covers all employees, stores, and related activities. The policy aims to protect products, reduce theft, and improve safety.
Recruiting and Onboarding
Updated: 07 April 2025
The policy linked above explains how recruiting and onboarding processes include strong security measures to protect the company. It applies to all new hires and contractors. The policy ensures proper screening and secure access to company resources.
Use of Our Facilities
Updated: 4 April 2025
The policy linked above explains how third parties use our facilities for events under strict security controls. It applies to all external groups hosting events on organization’s property. The policy helps ensure safety, security, and proper access during these events.
Handling of Cash or Checks
Updated: 8 April 2025
The policy linked above explains how the company manages the handling of cash with strict security measures. It applies to all employees involved in cash handling or processing. The policy helps prevent theft, loss, and errors to protect company assets.
Protecting VIPs (Physical)
Updated: 08 April 2025
The policy linked above explains how the company provides strong physical protection for VIPs during visits and events. It applies to all employees involved in VIP security or hosting. The policy ensures safety and smooth coordination to protect important guests.
Asset Inventory Management
Updated: 08 April 2025
This policy requires all physical and digital assets to be logged, labeled, and regularly reviewed. Only authorized personnel may assign, move, or remove assets. Loss, damage, or theft must be reported immediately. Accurate records help protect resources, reduce risk, and support compliance. Staff are responsible for safeguarding items under their control and must follow inventory procedures at all times.
Converged Security Vulnerability Management
Updated: 08 April 2025
The policy linked above explains how converged security vulnerability management is used to identify and address risks across all systems. It applies to all employees and technology resources. The policy supports a coordinated approach to keep the organization safe from threats.
Cyber Security – Center for Internet Security 18 Critical Controls
Sorry it’s a 2 Pager……Based on CISecurity.org great work on the 18 Critical Controls
Updated: 03 April 2025
The policy linked above explains how Cyber Security’s 18 Critical Controls guide our efforts to protect company systems and data. It applies to all employees and technology users. The policy ensures important security steps are followed consistently across the organization.
Secure Software Development
Updated: 08 April 2025
The policy linked above explains how secure software development practices are used to protect company applications and data. It applies to all developers and project teams. The policy ensures security is built into software from the start to reduce risks.
Warehouse Security (Worker Edition)
Updated: 13 April 2025
The policy linked above explains how security measures protect warehouse workers and facilities. It applies to all employees working in warehouses. The policy helps ensure safety, prevent theft, and maintain secure operations.
Construction Site Security (Worker Edition)
Updated: 13 April 2025
The policy linked above explains how security measures protect construction site workers and equipment. It applies to all employees working on construction sites. The policy helps ensure worker safety, prevent theft, and maintain secure job sites.
Security Personnel Training
Updated: 13 April 2025
The policy linked above explains how security personnel receive ongoing training to stay prepared and effective. It applies to all security staff and contractors. The policy ensures training covers the latest security practices and company standards.
Records Retention/Destruction
Updated: 29 April 2025
The policy linked above explains how the company manages records retention and destruction securely. It applies to all employees handling company documents and data. The policy ensures records are kept as needed and destroyed safely when no longer required.
Termination / Offboarding Personnel
Updated: 30 April 2025
The policy linked above explains how the company handles termination and offboarding of personnel with strict security measures. It applies to all employees leaving the organization. The policy ensures timely removal of access and protection of company information.
Insider Threat Management
Updated: 29 April 2025
The policy linked above explains how the company manages insider threats with strict security measures. It applies to all employees and contractors. The policy helps detect and prevent risks from within the organization.
Visitor (Invited / Not-Invited) Management
Updated: 30 April 2025
The policy linked above explains how the company manages both invited and uninvited visitors with strict security controls. It applies to all employees responsible for visitor access. The policy helps ensure safety by controlling who can enter company facilities.
Security Metrics
Updated: 03 May 2025
The policy linked above explains how the company tracks and manages security metrics using strict rules. It applies to all security functions across the organization. The policy helps measure performance and identify areas needing attention or improvement.
Child and Youth Protection
Updated: 05 May 2025
The policy linked above explains how the company protects children and youth through strong security measures. It applies to all employees involved in youth-related activities or programs. The policy helps ensure a safe and respectful environment for all young individuals.
Crisis Management and Communications
Updated: 06 May 2025
The policy linked above explains how the company manages crises and communicates during emergencies with clear and strict rules. It applies to all teams involved in emergency planning or response. The policy supports quick, organized actions to reduce harm and confusion.
Partnerships with Law Enforcement
Updated: 07 May 2025
The policy linked above explains how the company works with law enforcement using clear and strict security guidelines. It applies to teams that manage official contacts or share information with authorities. The policy supports safe, legal, and coordinated actions during investigations or emergencies.
Protecting VIPs (Cyber / Information Security)
Sorry it’s a 2 Pager
Updated: 25 May 2025
The policy linked above explains how the company protects VIPs through strong cyber and information security measures. It applies to all employees supporting VIP roles or data. The policy helps reduce risks to sensitive information and digital activity.
Security’s Role in BCP/DRP
Under Development
Information Security For Podcasts, Speaking Events
Under Development
Jim, we had this issue _____?
Dude, you forgot about ____?
Jim, I need a policy on _____
Safety Policies
Basic Safety
Updated: 29 April 2025
The policy linked above explains how the company maintains basic safety across all areas of the organization. It applies to every employee, regardless of role or location. The policy supports a safe environment through clear procedures and regular oversight.
Emergency Evacuation/Shelter-In-Place
Updated: 01 May 2025
The policy linked above explains how the company handles emergency evacuations and shelter-in-place situations with clear, strong safety rules. It applies to all employees in every location. The policy supports fast, safe actions during emergencies like fires, threats, or severe weather.
Safety Metrics
Updated: 03 May 2025
The policy linked above explains how the company tracks and manages safety performance using clear and strong safety metrics. It applies to all departments that report or review safety data. The policy supports informed decisions by measuring safety trends and results over time.