HOW TO USE THIS TEMPLATE
This data security policy template contains 7 sections and 9 subsections that can be edited, rewritten,
replaced or adapted to meet the needs of your company. Each section contains a brief instruction, which
you can delete, followed by an example of the text you may wish to include in the section. The table of
contents can be updated to reflect any changes you make in the document. New section headers should be
designated as “Heading 2” (and subsection headers as “Heading 3”) to ensure they are included in the table
of contents when you update it.
The footer in the document contains the i-Sight logo. This is editable and can be replaced with your own
company logo, alternate text or nothing at all.
WRITING YOUR DATA SECURITY POLICY
Here are some resources to help you write your data security policy.
Before you begin:
1. KNOW THE LAWS IN YOUR COUNTRY:
A PRACTICAL GUIDE TO DATA PRIVACY LAWS BY COUNTRY
2. LEARN MORE ABOUT DATA BREACHES AND PREVENTION:
11 EXPERT TIPS FOR DATA BREACH PREVENTION IN 2019
INCIDENT RESPONSE PLAN: 15 STEPS TO ADDRESS WORKPLACE INCIDENTS
TOP 20 TIPS FOR PREVENTING DATA THEFT
DATA SECURITY POLICY TEMPLATE 2
Foreword
The CEO or a data security leader in your company (whether they’re formally called the Security Director,
Data Protection Officer or VP of Information Security or someone else) may want to write a short
foreword.
A well-written foreword can bring your policy to life. It heightens readers’ interest and enthusiasm. It
inspires unity and a sense of responsibility. It provides a great opportunity to highlight the importance of a
collective effort in protecting company and customer data.
For example:
The goal of this policy is to enhance and clarify the procedures we have implemented to safeguard sensitive data. We hope that this
document can provide the reader with the information required to make informed and ethical decisions about how to use, access and
disclose data.
This policy is the cornerstone of our data protection efforts. I envision this as an evergreen document and I actively encourage anyone
with suggestions, recommendations or critiques to voice them. Data protection is a collective effort and requires hard work, passion
and commitment from every person in this company.
DATA SECURITY POLICY TEMPLATE 4
Security Principles & Best Practices
To prevent security incidents caused by employee ignorance, explain the data security principles and best
practices your company recognizes. Data security principles would be your “golden rules” whereas best
practices are the behaviors or courses of action that support these rules.
For example:
To minimize the chances of lost, stolen or manipulated paper documents, employees must shred all papers containing confidential
information within ten business days. Shred any mail that includes a name and address, shred all luggage tags, trip itineraries and
boarding passes, shred price lists, payment stubs and receipts.
Data Security Procedures
Hardware & Access Security Measures
Explain security measures in place for hardware (e.g., networks and cloud services) and equipment (e.g.,
locking cabinets). Provide information about connecting devices to the network, enabling remote access
and physical security measures for equipment.
For example:
Employees must only use the secure, password-protected wireless network titled Company-5G. Employees must never conduct work-
related activity on the unprotected Guest-Company wi-fi network. The Guest-Company network has been set up specifically for use by
visitors and casual use of personal devices.
Software & Antivirus Security Measures
Provide information about antivirus and firewall programs and software in place to keep data safe. Explain
patch management and other unique strategies you use to scan for vulnerabilities, such as employing white
hat hackers.
For example:
Employees are not to disable any of the pre-installed firewalls, antivirus and antispyware programs on company equipment (such as
laptops, mobile devices and removable media). Software updates will be made by members of the IT Department on an as-needed
basis. Employees are not permitted to update or install any programs or software. All installations must be requested, approved and
made by a member of the IT Department.
Password Management
Describe the company’s password management protocol. Explain why you should never write out your
passwords on a piece of paper and leave it in your drawer. Include a reminder to never share passwords
with others.
For example:
Employees are required to use strong, complex passwords that are at least 12 characters long with both uppercase and lowercase
letters, at least one number and at least one special character. All equipment will prompt employees to change their passwords every
90 days. The password cannot be one that has been used before, it cannot be your SIN, your birth date or any other personally
identifying information.
Acceptable Use
Communicate acceptable use of email, internet, social media and company equipment. Create boundaries
and draw the line between acceptable and unacceptable personal use. Provide specific examples of websites
that are not permitted.
For example:
Employees are permitted to use social media for personal reasons on their lunch break or another designated break. Employees that
are identifiable on social media as an employee of the company must include a disclaimer in their bio stating that their views are their
own and do not represent that of the company.
DATA SECURITY POLICY TEMPLATE 6