This repository contains security policy templates that can be adopted by organizations of different sizes.
Well, to be honest, we don't really like doing policy work and like good programmers we're lazy. So we figured it would be useful to have these out there and that if people had their policy taken care of they could spend more time and energy on technical security things we can help with.
How To Use the Templates
The easiest way to use the templates is to fork the repository and keep your own working copy. If you check back with Jemurai's main repository, you will be able to naturally pick up changes as our recommendations evolve.
We believe that there is a great value to keeping policy in github or a similar open system so that it is accessible and changes are tracked and easy to find.
Further, we recommend using pull requests to track approvals. It is important to capture leaders' support for policy and approval of a pull request is one simple mechanism that can be used to track changes.
Some orgnizations will undoubtedly produce word documents or PDFs that will be circulated and handled differently. That is also ok.
How does the policy set work? Every company has different needs. The main policy set contained here on Master is a simple but coherent set of policies that can be adopted by a small to mid sized organization.
Having written policies is one thing. Making them something you can use and live with is another altogether. Try to understand that policy will need to be socialized and agreed to and changed to fit your organization.
Work in Progress
The policies herein should be considered work in progress. We are sharing here with the hope that they will serve as a useful resource to others, not to be adopted as is and applied without expert guidance.
We are still in the process of mapping standards into the policies so that it can be explicitly clear how we know we are meeting standards.
Please create issues to request improvements or ask questions.
Limitation of Liability
These policy templates are provided as a guide for what we believe are best practices. We cannot be responsible for whether the policy is complete or whether it is followed.