Security Protocol Template
Template for Security Protocol. Customize this template for your specific needs.
Professional Review Recommended
This document may have legal or financial implications. We recommend having a qualified professional review the final version before use.
Document: Security Protocol
Template Preview
Version 1 • Last updated 6/4/2026
Security Protocol
Organisation: [Organisation name] Owner: [Role responsible for this protocol] Version: [1.0] Effective date: [Date] Next review: [Date + 6 to 12 months]
1. Purpose and scope
[One short paragraph: why this protocol exists and what it protects — people, information, and premises.]
This protocol applies to [who it covers: all employees, contractors, and visitors] and to [what it covers: company devices, accounts, networks, and premises]. It does not replace [the technical security plan / any legal or regulatory obligation], which is covered separately.
2. Roles and responsibilities
| Role | Responsibility |
|---|---|
| [Security owner] | [Owns and reviews this protocol; first point of contact for incidents] |
| [Managers] | [Ensure their team is briefed and follows the protocol] |
| [All staff] | [Follow the rules below and report anything suspicious] |
| [IT / systems] | [Provision and revoke access; maintain technical controls] |
3. Access control rules
- Accounts: [Every person has their own named account; shared logins are not permitted.]
- Least privilege: [People receive only the access their role requires; elevated access is the exception.]
- Joiners: [Access granted to a defined baseline on the first day, recorded by IT.]
- Leavers: [All access revoked on the last working day; badges and devices returned.]
- Reviews: [How often access and privileged accounts are reviewed.]
4. Passwords, MFA, and device rules
- Passphrases: [Minimum standard — e.g., a long passphrase, not a short password.]
- MFA: [Where multi-factor authentication is mandatory.]
- Password manager: [The approved tool; reusing or writing down passwords is not permitted.]
- Devices: [Lock screens when away; keep devices patched; report lost or stolen devices immediately.]
- Removable media: [Rules for USB devices and personal hardware on company systems.]
5. Data handling and classification
| Classification | Examples | Who may access | How to share / store |
|---|---|---|---|
| [Public] | [Marketing pages] | [Anyone] | [No restriction] |
| [Internal] | [Internal docs] | [Staff] | [Internal tools only] |
| [Confidential] | [Customer records] | [Named roles] | [Encrypted, approved tools] |
| [Restricted] | [Credentials, regulated data] | [Strictly limited] | [Need-to-know, logged access] |
- Sharing: [How confidential information may leave the organisation, and what approval is needed.]
- Retention and disposal: [How long records are kept and how they are securely destroyed.]
6. Physical security
- Building access: [How entry is controlled and badges are issued.]
- Visitors: [How visitors are signed in, badged, and escorted.]
- Secure areas: [Server rooms or restricted areas and who may enter them.]
- Clean desk / clear screen: [Sensitive material is locked away and screens are locked when unattended.]
7. Incident reporting
If you see or cause a possible security incident, report it immediately. You will not be blamed for reporting promptly.
- Recognise — [examples: lost device, clicked phishing link, misdirected email, unfamiliar person in a secure area, suspected malware].
- Report — [the single reporting channel: phone, address, or chat channel, available at any hour].
- Preserve — [do not delete evidence; do not attempt to fix it yourself unless told to].
- Follow up — [the security owner will triage, keep you informed, and confirm when it is resolved].
8. Enforcement and review
- Training: [Every new starter is briefed and confirms they have read this protocol; everyone refreshes it every [interval].]
- Enforcement: [The rules apply to everyone; describe the consequences of ignoring them.]
- Review: [This protocol is owned by [role] and reviewed [every 6 to 12 months] and after any significant incident.]
- Acknowledgement: [Where signed acknowledgements are recorded.]
About this Template
Part of the Security Protocol document collection
Document Type
Security Protocol
The defined steps and rules for handling security in a specific area.