Samples and Templates

---

Overview

Policy templates and sample language that can be used by agencies to develop or strengthen their internal policies, procedures and practices.

These samples should be modified to best meet the agency's business needs. It is recommended that the policy language be developed in consultation with your Legal Office, Human Resources, Labor Relations, Equal Employment Opportunity Office, Executive Management, Information Security Officer, Chief Information Officer, and Information Technology staff.

Table of Contents

• Asset Management
• Contract Development
• Request for Proposal Development
• Policy Development
• Incident Management
• Other Resources for Incident Management

Sample Asset Management Forms

• Employee Appointment Checklist (.doc, 39K)
• Record of Property Issued to State Employee (.doc, 74k)
• Employee Exit Checklist (.doc, 120k)
• Management Directive and Procedures for Handling Confidential Documents (.doc, 43k)

Sample Agreements and Contract Language

Sample agreements and model language to include in contracts that require information security provisions provided by the California Office of Information Security and other government agencies.

• Guideline for Establishing Data Exchange and System Interconnection Agreements Between Government Agencies (.doc, 2mb)
• BL-04-35 Contract Provisions (.doc, 31k)
• HIPAA Contract Provisions (.doc, 52k)
• Business Associate Agreements for HIPAA Privacy Rule (link to Department of Health Care Services website)
• Model Contract Language (link to Department of General Services website)

Sample Request for Proposals (RFPs) and Request for Offers (RFOs)

Sample RFPs for seeking assistance with information security functions (such as risk assessments, and network scanning and penetration testing) provided by the State Information Security Office and other state agencies.

• Sample Risk Assessment RFP (.doc, 260k)
• Sample Security Assessment RFO (.doc, 241k)
• Instructions and Considerations for Preparing a Statement of Work with Samples (.pdf)
• Security and Confidentiality Statement for Vendors (.doc, 38KB)

Information Security Policy Templates

Policy development templates provided by the State Information Security Office and other California state agencies.

Outline of Security Policy Components

• Security Policy Outline (.doc, 29k)

Acceptable Use

• Acceptable Use Policy Template (.doc, 52k)

Employee Acknowledgement

• Employee Acknowledgement (.doc, 29k)

Banner Language (Provided by California Office of Attorney General)

• Simple Network Banner Language (.doc, 32k)
• Presentation on Computer Use Policies (.ppt, 76k)

Other Resources for Information Security Policy Development

Policy Development Projects and Resources (Provided by various non-profit organizations)

• EDUCAUSE - Security Policy Resources (link to EDUCAUSE website)
• National Institute of Standards and Technology (NIST) - Computer Security Policy Guidance (link to NIST website, Special Publication 800-12, Chapter 5)
• SysAdmin, Audit, Network, Security (SANS) Policy Project (link to SANS website)
• Open Directory Project (ODP) Policy Samples (link to ODP website)

Incident Management

Sample incident management related forms and tools provided by the State Information Security Office and other California state agencies.

• Incident Cost Estimator Workbook (.xls, 42K)
• Incident Response Plan Example (.doc, 38k)
• Incident Communications Log (.xls, 16k)
• Sentinel Computer Collection Information Form (.doc, 205k)
• Sample breach notification templates. See the Security Breach Reporting and Notification Requirements for State Agencies

Other Resources for Incident Management

Incident Management Resources (Provided by various non-profit organizations)

• The NIST Federal Agency Security Practices (FASP) Resource Library offers guidance, samples and templates, and examples on a number of security topics including incident management like the Sample Generic Policy and High Level Procedures for Incident Response (.doc). More NIST and FASP Examples are offered in their digital archive (links to NIST-FASP website)
• SANS Incident Forms (links to SANS website)
• The Computer Forensics & Digital Evidence Toolkit (links to Computer-Forensics, Privacy Resources website)

---

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.