Security Policy

This example policy outlines behaviors expected of employees when dealing with data and provides a classi cation of the types of data with which they should be concerned.

1.0 Purpose

Cosmetics Stuff must protect restricted, con dential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet exibility to access data and work effectively is also critical.

It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.

2.0 Scope

  1. Any employee, contractor or individual with access to Cosmetics Stuff systems or data.

  2. De nition of data to be protected (you should identify the types of data and give examples so that your users can identify it when they encounter it)

  •   PII

  •   Financial

  •   Restricted/Sensitive

  •   Con dential IP

    3.0 Policy – Employee requirements

  1. You need to complete

    This example policy outlines behaviors expected of employees when dealing with data and provides a classi cation of the types of data with which they should be concerned. This should link to your AUP (acceptable use policy), security training and information security policy to provide users with guidance on the required behaviors.

    1.0 Purpose

    <Company X> must protect restricted, con dential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet exibility to access data and work effectively is also critical.

    It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.

    2.0 Scope

    1. Any employee, contractor or individual with access to Cosmetics Stuff systems or data.

    2. De nition of data to be protected (you should identify the types of data and give examples so that your users can identify it

      when they encounter it)

    •   PII

    •   Financial

    •   Restricted/Sensitive

    •   Con dential IP

      3.0 Policy – Employee requirements

    1. You need to complete Cosmetics Stuff`s security awareness training and agree to uphold the acceptable use policy.

    2. If you identify an unknown, un-escorted or otherwise unauthorized individual inCosmetics Stuff you need to immediately notify <complete as appropriate>.

    3. Visitors to Cosmetics Stuff must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them appropriate areas.

    4. You are required not to reference the subject or content of sensitive or con dential data publically, or via systems or communication channels not controlled by Cosmetics Stuff. For example, the use of external e-mail systems not hosted by Cosmetics Stuff to distribute data is not allowed.

    5. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left unattended at your workstation.

    Cosmetics Stuff’s security awareness training and agree to uphold the acceptable use policy.

  2. If you identify an unknown, un-escorted or otherwise unauthorized individual in Cosmetics Stuff you need to immediately notify 

  3. Visitors to Cosmetics Stuff must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them appropriate areas.

  4. You are required not to reference the subject or content of sensitive or con dential data publically, or via systems or communication channels not controlled by Cosmetics Stuff. For example, the use of external e-mail systems not hosted by Cosmetics Stuff to distribute data is not allowed.

  5. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left unattended at your workstation.