Policy Requirements and Guidance
Regulations and Compliance
The (ISC)2 CCSP
or Certified Cloud Security Professional
certification is largely about regulatory compliance.
So much so that I think that
would be an equally appropriate name.
See my study guide for several lists of regulations and
other compliance issues, and pointers to further
information on them:
Certified Cloud Security Professional
U.S. Department of Defense Cybersecurity Policy Chart
The U.S. Department of Defense has published a strategy document, "DoD Strategy for Defending Networks, Systems, and Data", which you can download.
They also have a policy chart. If you use Adobe (and there's a risk!), you can click on its buttons to go to the actual component policy documents. Safer non-Adobe tools may be able to follow the links. If not, ask Google for the PDF documents by title.
U.S. NIST Guidance, University Examples
About the only policies you can see are guidance from various security organizations (both guidance and requirements) and possibly partial policies from some universities.
U.S. NIST has several useful documents.
They range from introduction through guidance to requirements
for U.S. government agencies.
SP-800 document series
for a large collection of documents on
a broad range of information assurance topics.
U.S. NIST SP-800 Series
SANS has some templates.
SANS Information Security Policy Templates
ISO 27000 series —
This is a series of ISO documents that evolved out of an
earlier British government standard, BS 7799.
They would be enormously expensive to purchase:
ISO 27000 series
Purdue's CERIAS archive
has various documents, ranging from copies
of policies now or previously in effect at
various universities, to NIST security documents,
to U.S. Federal Criterea for Information Technology
Security, to some more narrative papers:
Purdue CERIAS archive
Explicit Policies Aren't Available
Government agencies and corporations generally consider their policies as sensitive information, and so they do not let outsiders see all of the actual policies.
It makes sense at that least some of an organization's policy would be sensitive, and so if the only choices of disclosure are "all" and "none", choosing "none" errs on the side of caution.