Page tree
Skip to end of metadata
Go to start of metadata

What makes a good policy?  ♥

  • keep it short and concrete
  • focuses on goals, roles, responsibilities and tasks
  • covers relevant security aspects (personal, office, travel, devices, etc.)
  • clearly differentiates between what needs to be done once, regularly or all the time
  • helps the reader to take action (spells out internal support, links to resources)
  • clear link to organizational mission and identity
  • is part of the main working space of an organisation, reflects its (visual) identity
  • includes protective measures and incident response

What makes a bad policy?

  • focused only on documentation of tools
  • one that cannot be found by staff
  • can only be understood by experts, champion or IT staff
  • too aspirational and too far away from actual practices
  • quick hack of a template, bad recycling of other policies
  • is one giant document that does not differentiate between different needs and responsibilities


  • Clear standard of practice within the organization.
  • Ensure sustainability of practice
  • Creating organizational consensus
  • Establish initially and use dynamically as organization incorporates practices/environment or organization changes


  • Existing workflow and program activities
  • Initial assessment, including resources
  • Priorities
  • Organigram
  • Helpful:  existing templates

Elements to be included

  • Buy-in and strategy to implement, enforce, and inform policy
  • Communication policy
    • social media
    • Email
    • Chat
    • Mobile
    • Branding practices and signatures
    • PGP usage, key storage, publishing keys, subject lines
  • All should cover access control measures, levels of encryption, personal vs work usage
  • Data managements policy
    • Where is stored? (cloud, local, etc)
    • Access control (new hires, employees leaving, different levels of access)
    • Data retention
    • Data deletion
    • Backup
    • Encryption 
    • Password management
    • File naming and storage structure
  • Equipment policy
    • Personal use
    • Taking home
    • Installing software
    • Pirated software
    • Anti-Virus
    • Updates
    • Disposal of devices
  • Training
    • When does training happen?
    • How often?
    • Self-learning resources?
    • Funds for professional development
  • Employee leaving 
    • What to exptect when you leave the organization
    • Email access
    • Equipment handover
  • Incident Reporting
    • Security reports
    • Lost equipment
    • Infiltration
    • Virus/Hacking
  • Field Documentation and Reporting
    • Depends on methodology, but considers meta/exif data, physical exposure, mobile use, software tools, physical safety, travel

Security policy templates

In this page:


Additional resources:

Baseline Organisational Policies and Practices

by Michael Carbone
This is a draft of a resource that came out of envisioning the next iteration of the Responsible Data Forum's Organizational Security Atomized Plan, and reframing it as a guide towards implementation within a group. In this reframing I have relied heavily on the content of the Organizational Security Atomized Plan itself, Internews' SAFETAG organizational assessment framework, and other resources listed in the resources section.

Security Checklists

by iecology
The documents in this repository comprise a set of digital security checklists for use by US based non-profit organizations with a focus on human practice and organizational management. One checklist is oriented towards assessing an organization's readiness to take on this type of work. Additional documents represent framing information and a glossary.

  • No labels