# Information Security Policy

**Company:** [Company Name]
**Effective date:** [Date]
**Policy owner:** [Owner / Role]

## Purpose

This policy sets out how [Company Name] protects the information it holds, processes, and shares. It states the expectations everyone must meet so that company and customer data stays confidential, accurate, and available. The aim is to reduce the chance of a breach, limit the damage if one happens, and make our security practices clear and repeatable.

## Scope

This policy applies to:

- All employees, contractors, interns, and temporary staff.
- All systems, applications, networks, and devices used for company work, whether owned by [Company Name] or by an individual.
- All company information, in any form (digital, paper, spoken), wherever it is stored or transmitted.

Anyone who handles [Company Name] information is expected to read, understand, and follow this policy.

## Roles & Responsibilities

| Role | Responsibility |
|------|----------------|
| Executive sponsor [e.g., CEO/CTO] | Approves the policy, funds security work, and owns overall risk. |
| Security lead [Owner / Role] | Maintains this policy, runs reviews, and coordinates incidents. |
| Managers | Ensure their teams follow the policy and have appropriate access only. |
| All staff | Protect the data they touch, report problems quickly, and complete required training. |

## Acceptable Use (summary)

Company systems and data are provided for legitimate business purposes. Users must:

- Keep credentials private and never share accounts.
- Avoid installing unapproved software or connecting untrusted devices.
- Not use company resources for illegal, harmful, or clearly personal commercial activity.
- Lock screens when away and store devices securely.

A separate Acceptable Use Policy may expand on these rules; this section is the short version.

## Access Control (summary)

- Access is granted on a least-privilege, need-to-know basis.
- Multi-factor authentication is required for systems that support it.
- Access is reviewed on a regular cadence and removed promptly when someone changes role or leaves.

See the Access Control Policy for full detail.

## Data Protection

- Information is classified (for example, Public, Internal, Confidential, Restricted) and handled according to its level. See the Data Classification Policy.
- Sensitive data is encrypted in transit and at rest where feasible.
- Data is kept only as long as there is a business or legal reason, then disposed of securely.
- Backups are taken for important systems and tested periodically.

## Vendor / Third-Party Security

- Vendors that access or process [Company Name] data are assessed before onboarding and periodically afterward.
- Contracts include security and confidentiality obligations appropriate to the data involved.
- Vendor access is limited to what the engagement requires and revoked when it ends.

## Incident Reporting

If you suspect a security problem — a lost device, a suspicious email, unexpected access, or a possible breach — report it immediately to [e.g., security@company.com or the security lead]. Do not try to investigate or cover it up on your own. Fast reporting limits damage. See the Incident Response Plan for what happens next.

## Policy Review

This policy is reviewed at least once a year, and sooner if there is a major change in technology, regulation, or after a significant incident. The policy owner ([Owner / Role]) is responsible for the review and for tracking changes below.

## Version History

| Version | Date | Author | Summary of changes |
|---------|------|--------|--------------------|
| 1.0 | [Date] | [Owner / Role] | Initial version. |
| | | | |

*Template by Cipherwire (cipherwire.biz). An original starting point, not legal advice — adapt it to your environment and have it reviewed before you rely on it.*