Initial commit

example/policies/README.md

@@ -0,0 +1 @@
+# TODO Describe Policies

example/policies/access.md

@@ -0,0 +1,15 @@
+name: Access Onboarding and Termination Policy
+acronym: AOTP
+satisfies:
+  TSC:
+    - CC6.1
+    - CC6.2
+    - CC6.3
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/application.md

@@ -0,0 +1,33 @@
+name: Application Security Policy
+acronym: ASP
+satisfies:
+  TSC:
+    - CC6.2
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The Application Security Policy governs the use of applications deemed critical to {{.Name} Information Security.
+
+# Critical Applications
+
+The following applications are within the scope of this policy:
+
+* GitHub
+* Slack
+* Google Apps
+
+Applications supporting production data operations (specifically the AWS Console) are deliberately excluded from this policy.
+
+# Data Sensitivity
+
+Any company proprietary data may be stored within these *[Critical Applications]*.
+
+Customer support activities must be conducted entirely within the *[Critical Applications]*.
+
+# Other Applications
+
+Other applications not listed in *[Critical Applications]* may include company proprietary data, but must not contain any customer support or customer-owned data.

example/policies/availability.md

@@ -0,0 +1,14 @@
+name: Availability Policy
+acronym: AP
+satisfies:
+  TSC:
+    - A1.1
+    - CC9.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The Availability Policy governs X.

example/policies/change.md

@@ -0,0 +1,13 @@
+name: System Change Policy
+acronym: SCP
+satisfies:
+  TSC:
+    - CC8.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/classification.md

@@ -0,0 +1,37 @@
+name: Data Classification Policy
+acronym: DCP
+satisfies:
+  TSC:
+    - CC9.9
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Background
+
+This policy defines the high level objectives and implementation instructions for the organization’s data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within the organization. Confidentiality and non-disclosure agreements maintained by the organization must reference this policy.
+
+# Purpose and Scope
+
+- This data classification policy defines the requirements to ensure that information within the organization is protected at an appropriate level.
+
+- This document applies to the entire scope of the organization’s information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.
+
+- This policy applies to all individuals and systems that have access to information kept by the organization.
+
+# References
+
+- Risk Assessment Policy
+- Security Incident Management Policy
+
+# Policy
+
+- If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
+- If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
+- When classifying information, the level of confidentiality is determined by:
+  - The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (reference (a)).
+  - Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
+  - Legal, regulatory and contractual obligations.
+
+- Information must be classified based on confidentiality levels as defined in Table 1.

example/policies/conduct.md

@@ -0,0 +1,13 @@
+name: Code of Conduct Policy
+acronym: COCP
+satisfies:
+  TSC:
+    - CC1.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The Data Classification Policy governs X.

example/policies/confidentiality.md

@@ -0,0 +1,14 @@
+name: Confidentiality Policy
+acronym: CP
+satisfies:
+  TSC:
+    - C1.1
+    - C1.2
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/continuity.md

@@ -0,0 +1,13 @@
+name: Business Continuity Policy
+acronym: BCP
+satisfies:
+  TSC:
+    - CC9.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/cyber.md

@@ -0,0 +1,13 @@
+name: Cyber Risk Assessment Policy
+acronym: CRP
+satisfies:
+  TSC:
+    - CC9.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/datacenter.md

@@ -0,0 +1,13 @@
+name: Datacenter Policy
+acronym: DP
+satisfies:
+  TSC:
+    - CC6.4
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/development.md

@@ -0,0 +1,13 @@
+name: Software Development Lifecycle Policy
+acronym: SDLCP
+satisfies:
+  TSC:
+    - CC8.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/disaster.md

@@ -0,0 +1,15 @@
+name: Disaster Recovery Policy
+acronym: DRP
+satisfies:
+  TSC:
+    - A1.2
+    - A1.3
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.
+s

example/policies/encryption.md

@@ -0,0 +1,13 @@
+name: Encryption Policy
+acronym: EP
+satisfies:
+  TSC:
+    - CC9.9
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/incident.md

@@ -0,0 +1,15 @@
+name: Security Incident Response Policy
+acronym: SIRP
+satisfies:
+  TSC:
+    - CC7.3
+    - CC7.4
+    - CC7.5
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/information.md

@@ -0,0 +1,29 @@
+name: Information Security Policy
+acronym: ISP
+satisfies:
+  TSC:
+    - CC9.9
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The Information Security Policy is a composite policy referencing other Acme policies relevant to information security.
+
+# Component Policies
+
+The Acme Information Security Policy is composed of:
+
+- [Application Security Policy (*Acme-ASP.pdf*)](Acme-ASP.pdf) {-}
+- [Cyber Risk Management Policy (*Acme-CRP.pdf*)](Acme-CRP.pdf) {-}
+- [Data Classification Policy (*Acme-DCP.pdf*)](Acme-DCP.pdf) {-}
+- [Data Retention Policy (*Acme-ASP.pdf*)](Acme-DRP.pdf) {-}
+- [Datacenter Security Policy (*Acme-ASP.pdf*)](Acme-DSP.pdf) {-}
+- [Encryption Policy (*Acme-ASP.pdf*)](Acme-EP.pdf) {-}
+- [Password Policy (*Acme-ASP.pdf*)](Acme-PWP.pdf) {-}
+- [Remote Access Policy (*Acme-ASP.pdf*)](Acme-REAP.pdf) {-}
+- [Removable Media Policy (*Acme-ASP.pdf*)](Acme-RMP.pdf) {-}
+- [Security Incident Response Policy (*Acme-ASP.pdf*)](Acme-SIRP.pdf) {-}
+- [Workstation Security Policy (*Acme-ASP.pdf*)](Acme-WSP.pdf) {-}

example/policies/log.md

@@ -0,0 +1,13 @@
+name: Log Management Policy
+acronym: LMP
+satisfies:
+  TSC:
+    - CC7.2
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/media.md

@@ -0,0 +1,13 @@
+name: Removable Media and Cloud Storage Policy
+acronym: MCP
+satisfies:
+  TSC:
+    - CC6.7
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/office.md

@@ -0,0 +1,13 @@
+name: Office Security Policy
+acronym: OSP
+satisfies:
+  TSC:
+    - CC6.4
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/password.md

@@ -0,0 +1,13 @@
+name: Password Policy
+acronym: PWP
+satisfies:
+  TSC:
+    - CC9.9
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/policy.md

@@ -0,0 +1,21 @@
+name: Policy Training Policy
+acronym: PTP
+satisfies:
+  TSC:
+    - CC9.9
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The Policy Training Policy addresses policy education requirements for Acme employees and contractors.
+
+# Adherence
+
+Assignees are reminded that adherence to assigned policies is binding under the terms of their Acme Employment Offer Letter and/or their Acme Independent Contractor Agreement.
+
+# Applicability
+
+Upon each full-time, part-time or contractor addition, the hiring manager determines which subset of of Acme Policies apply to that individual. The individual is tasked with reading the assigned policies within 5 working days. The initial assignment date, scope, and completion date are entered into the [Ledger].

example/policies/privacy.md

@@ -0,0 +1,30 @@
+name: Privacy Management Policy
+acronym: PMP
+satisfies:
+  TSC:
+    - P1.1
+    - P2.1
+    - P3.1
+    - P3.2
+    - P4.1
+    - P4.2
+    - P4.3
+    - P5.1
+    - P5.2
+    - P6.1
+    - P6.2
+    - P6.3
+    - P6.4
+    - P6.5
+    - P6.6
+    - P6.7
+    - P7.1
+    - P8.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/processing.md

@@ -0,0 +1,17 @@
+name: Processing Integrity Management Policy
+acronym: PIMP
+satisfies:
+  TSC:
+    - PI1.1
+    - PI1.2
+    - PI1.3
+    - PI1.4
+    - PI1.5
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/remote.md

@@ -0,0 +1,15 @@
+name: Remote Access Policy
+acronym: REAP
+satisfies:
+  TSC:
+    - CC6.1
+    - CC6.2
+    - CC6.7
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/retention.md

@@ -0,0 +1,15 @@
+name: Data Retention Policy
+acronym: RP
+satisfies:
+  TSC:
+    - CC1.2
+    - CC6.5
+    - P4.2
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/risk.md

@@ -0,0 +1,13 @@
+name: Risk Assessment Policy
+acronym: RIAP
+satisfies:
+  TSC:
+    - CC9.1
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/vendor.md

@@ -0,0 +1,13 @@
+name: Vendor Management Policy
+acronym: VMP
+satisfies:
+  TSC:
+    - CC9.2
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.

example/policies/workstation.md

@@ -0,0 +1,13 @@
+name: Workstation Policy
+acronym: WP
+satisfies:
+  TSC:
+    - CC6.8
+majorRevisions:
+  - date: Jun 1 2018
+    comment: Initial document
+---
+
+# Overview
+
+The XXX Policy governs X.