Skip to main content

General Policies


Source: https://secureframe.com/hub/soc-2/policies-and-procedures


  • Acceptable Use Policy: Defines the ways in which the network, website or system may be used. Can also define which devices and types of removable media can be used, password requirements, and how devices will be issued and returned.
  • Access Control Policy: Defines who will have access to company systems and how often those access permissions will be reviewed.
  • Business Continuity Plan: Defines how employees will respond to a disruption to keep the business running smoothly.
  • Change Management Policy: Defines how system changes will be documented and communicated across your organization.
  • Confidentiality Policy: Defines how your organization will handle confidential information about clients, partners, or the company itself.
  • Code of Conduct Policy: Defines the policies both employees and employers must adhere to. This includes how people should interact with one another at work.
  • Data Classification Policy: Defines how you will classify sensitive data according to the level of risk it poses to your organization.
  • Disaster Recovery Policy: Defines how your company will recover from a disastrous event. It also includes the minimum necessary functions your organization needs to continue operations.
  • Encryption Policy: Defines the type of data your organization will encrypt and how it’s encrypted.
  • Incident Response Plan: Defines roles and responsibilities in response to a data breach and during the ensuing investigation.
  • Information Security Policy: Defines your approach to information security and why you’re putting processes and policies in place.
  • Information, Software, and System Backup Policy: Defines how information from business applications will be stored to ensure data recoverability.
  • Logging and Monitoring Policy: Defines which logs you’ll collect and monitor. Also covers what’s captured in those logs, and which systems will be configured for logging.
  • Physical Security Policy: Defines how you will monitor and secure physical access to your company’s location. What will you do to prevent unauthorized physical access to data centers and equipment?
  • Password Policy: Defines the requirements for using strong passwords, password managers, and password expirations.
  • Remote Access Policy: Defines who is authorized to work remotely. Also defines what type of connectivity they will use and how that connection will be protected and monitored.
  • Risk Assessment and Risk Mitigation Plan: Defines security threats that could occur and the action plan to prevent those incidents.
  • Software Development Lifecycle Policy: Defines how you will ensure your software is built securely, tested regularly, and complies with regulatory requirements.
  • Vendor Management Policy: Defines vendors that may introduce risk, as well as controls put in place to minimize those risks.
  • Workstation Security Policy: Defines how you will secure your employees’ workstations to reduce the risk of data loss and unauthorized access.


Back to top