IT Policy Documentation

2 minute read


Working for a SMB you will wear many hats: Systems admin, help desk admin, network admin, security admin, etc. One thing that helps with such diverse roles is to have a good IT Policy that you follow and update regularly. This post is the types of documentation most environments should have.

To Resolve:

  1. Sign up for a service like Security Bastion for a list of documentation such as:

Policy Outline
Policy Template
Meeting Minutes
Control Of Records
Corrective Action Procedure
First Board Meeting Agenda
Internal Audit Procedure
Internal Audit Report Sheet
Audit Procedure
Internal Audit Schedule
Second Board Meeting Agenda

Protection And Control Of Isms Documentation

Non Conformance Report
Non Conformance Report Spreadsheet

Effectiveness Measurement Procedure
Is Threat Identification Workbook
Risk Register
Threat And Risk Assesment Process
Risk Vulnerability Worksheet
Detailed Threat And Risk Assesment
Accelerated Threat And Risk Assesment

Information Security Policy
Management Review Of The Information Security Policy

Organization Of Is Standard Manual
Information Security Committee
Information Security Coordination
Authorizing New Information Processing Facilities
Confidentiality Agreements
Authorities And Key Suppliers
Contact With Authorities Guide
Internal Independent Review Procedure
External Parties Information Security Procedure

Asset Management Standard Manual
Inventory And Ownership Of Assets
Acceptable Use Policy
Information Asset Classification Tool.Xls
Information Security Classification Guidelines
Inventory Of Assets

Human Resource Security Standard Manual
Personnel Screening Procedure
Schedule Of Required Hr Ammendments
Termination Checklist
Employee Termination Guide

Physical And Environmental Security Standard Manual
Equipment Security Procedure
Secure Disposal Of Storage Media Procedure
Removal Off Site Of Information Assets Procedure
Information Assets For Disposal
Physical Perimeter Security Checklist
Physical Entry Controls And Secure Areas Procedure
Public Access Delivery And Loading Areas Procedure

Communications And Operations Management Standard Manual
Documented Procedures
Policy Against Malware
Controls Against Malware Procedure
Backup Procedures
Network Controls And Services Procedure
Media And Information Handling Procedure
Business Information Systems Procedure
Ecommerce And Online Transactions Procedure
Information Security Monitoring Procedure
System Planning And Acceptance Procedure
Change Control Procedure
Environment Separation Procedure
Managing Third Party Service Contracts Procedure

Access Control Standard Manual
Access Control Policy
Mobile Computing Security Procedure
Teleworker Security Procedure
Use Of System Utilities Procedure
User Access Management Procedure
Access Control Rules And Rights For Users Groups Procedure
Network Access Control Policy
Network Access Control Procedure
Secure Logon Session Timeout And System Isolation Procedure

Information Systems Acquisition Development Maintenance Standard Manual
Cryptographic Key Managment Procedure
Control Of Operational Software Procedure
Vulnerability Managment Procedure

Information Security Incident Management Standard Manual
Reporting Information Security Weaknesses And Events Procedure
Responding To Information Security Reports Procedure
Collection Of Evidence Procedure
Notification Of Information Security Breaches Procedure

Business Continuity Management Standard Manual
Business Continuity Planning Procedure
Business Continuity Assesment Procedure
Business Continuity Plan
Testing Maintaining And Reassing Bc Plans Procedure

Compliance Standard Manual
Intellectual Property Rights Policy Statement
Retention Records Procedure
Ipr Compliance Procedure
Compliance Checking Procedure
Systems Auditing Procedure
Data Protection And Privacy Policy Statement

  1. Once you get these documents, go through each document and replace with details for your environment (after getting management on board of course! See first section)

  2. After you write out the policies, you have to enforce them and have at least 6 months of logs auditing your environment. Feel free to add/ take away as this is just a template.

  3. Lastly, you can pay a third party contractor to come audit your department every X months as your policies dictate. If you are looking to get ISO certified, there may be more steps involved.