This policy will help you create security guidelines for devices that transport and store data. You can use it as-is or customize it to fit the needs of your organization and employees.
From the policy:
Every company’s network is made up of devices that transmit and store information. This can include internal and external systems, either company-owned or leased/rented/subscribed to.
To protect company data and reputation, it is essential to ensure that the network is secured from unauthorized access, data loss, malware infestations, and security breaches. This must be done via systematic end-to-end controls.
The IT department will be responsible for implementing, adhering to, and maintaining these controls. For the purposes of this document, “all devices” refers to workstations, laptops, servers, switches, routers, firewalls, mobile devices, and wireless access points. Where possible, these guidelines will apply to external remote systems and cloud services.
All devices should be configured using strong administrative controls, including complex passwords or SSL keys (which must be kept in a centralized password/key database that only the IT department can access). These passwords/keys must be rotated every 90 days or when an IT staff member has been terminated.
All devices should be set up with a “least privilege necessary” model, whereby access is provided only to employees who require it to do their jobs. Administrator accounts should be kept to a minimum and provided only to authorized members of the IT department (or elsewhere if approved by IT).
All devices should have only the access, services, and functions needed for them to function properly. Critical systems storing confidential data should be protected by firewalls with the bare minimum of ports opened only to those sources that should access them.
Where applicable, devices should be subject to hardening guidelines as provided by the vendor, insofar as these do not interfere with desired functions or access.
Source of original article