Rack of Ethernet switches.

Policy Requirements and Guidance

Regulations and Compliance

The (ISC)2 CCSP or Certified Cloud Security Professional certification is largely about regulatory compliance. So much so that I think that "Certified Compliance Security Professional" would be an equally appropriate name. See my study guide for several lists of regulations and other compliance issues, and pointers to further information on them:
Certified Cloud Security Professional
study guide

U.S. Department of Defense Cybersecurity Policy Chart

The U.S. Department of Defense has published a strategy document, "DoD Strategy for Defending Networks, Systems, and Data", which you can download.

They also have a policy chart. If you use Adobe (and there's a risk!), you can click on its buttons to go to the actual component policy documents. Safer non-Adobe tools may be able to follow the links. If not, ask Google for the PDF documents by title.

U.S. NIST Guidance, University Examples

About the only policies you can see are guidance from various security organizations (both guidance and requirements) and possibly partial policies from some universities.

U.S. NIST has several useful documents. They range from introduction through guidance to requirements for U.S. government agencies. See their SP-800 document series for a large collection of documents on a broad range of information assurance topics.
U.S. NIST SP-800 Series

SANS has some templates.
SANS Information Security Policy Templates

ISO 27000 series — This is a series of ISO documents that evolved out of an earlier British government standard, BS 7799. They would be enormously expensive to purchase:
ISO 27000 series

Purdue's CERIAS archive has various documents, ranging from copies of policies now or previously in effect at various universities, to NIST security documents, to U.S. Federal Criterea for Information Technology Security, to some more narrative papers:
Purdue CERIAS archive

Explicit Policies Aren't Available

Government agencies and corporations generally consider their policies as sensitive information, and so they do not let outsiders see all of the actual policies.

It makes sense at that least some of an organization's policy would be sensitive, and so if the only choices of disclosure are "all" and "none", choosing "none" errs on the side of caution.

Back to the main Security Page