PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content
Template
Free

Security Protocol Template

Template for Security Protocol. Customize this template for your specific needs.

Professional Review Recommended

This document may have legal or financial implications. We recommend having a qualified professional review the final version before use.

Document: Security Protocol

Template Preview

Version 1 • Last updated 6/4/2026

Security Protocol

Organisation: [Organisation name] Owner: [Role responsible for this protocol] Version: [1.0] Effective date: [Date] Next review: [Date + 6 to 12 months]


1. Purpose and scope

[One short paragraph: why this protocol exists and what it protects — people, information, and premises.]

This protocol applies to [who it covers: all employees, contractors, and visitors] and to [what it covers: company devices, accounts, networks, and premises]. It does not replace [the technical security plan / any legal or regulatory obligation], which is covered separately.

2. Roles and responsibilities

RoleResponsibility
[Security owner][Owns and reviews this protocol; first point of contact for incidents]
[Managers][Ensure their team is briefed and follows the protocol]
[All staff][Follow the rules below and report anything suspicious]
[IT / systems][Provision and revoke access; maintain technical controls]

3. Access control rules

  • Accounts: [Every person has their own named account; shared logins are not permitted.]
  • Least privilege: [People receive only the access their role requires; elevated access is the exception.]
  • Joiners: [Access granted to a defined baseline on the first day, recorded by IT.]
  • Leavers: [All access revoked on the last working day; badges and devices returned.]
  • Reviews: [How often access and privileged accounts are reviewed.]

4. Passwords, MFA, and device rules

  • Passphrases: [Minimum standard — e.g., a long passphrase, not a short password.]
  • MFA: [Where multi-factor authentication is mandatory.]
  • Password manager: [The approved tool; reusing or writing down passwords is not permitted.]
  • Devices: [Lock screens when away; keep devices patched; report lost or stolen devices immediately.]
  • Removable media: [Rules for USB devices and personal hardware on company systems.]

5. Data handling and classification

ClassificationExamplesWho may accessHow to share / store
[Public][Marketing pages][Anyone][No restriction]
[Internal][Internal docs][Staff][Internal tools only]
[Confidential][Customer records][Named roles][Encrypted, approved tools]
[Restricted][Credentials, regulated data][Strictly limited][Need-to-know, logged access]
  • Sharing: [How confidential information may leave the organisation, and what approval is needed.]
  • Retention and disposal: [How long records are kept and how they are securely destroyed.]

6. Physical security

  • Building access: [How entry is controlled and badges are issued.]
  • Visitors: [How visitors are signed in, badged, and escorted.]
  • Secure areas: [Server rooms or restricted areas and who may enter them.]
  • Clean desk / clear screen: [Sensitive material is locked away and screens are locked when unattended.]

7. Incident reporting

If you see or cause a possible security incident, report it immediately. You will not be blamed for reporting promptly.

  1. Recognise — [examples: lost device, clicked phishing link, misdirected email, unfamiliar person in a secure area, suspected malware].
  2. Report — [the single reporting channel: phone, address, or chat channel, available at any hour].
  3. Preserve — [do not delete evidence; do not attempt to fix it yourself unless told to].
  4. Follow up — [the security owner will triage, keep you informed, and confirm when it is resolved].

8. Enforcement and review

  • Training: [Every new starter is briefed and confirms they have read this protocol; everyone refreshes it every [interval].]
  • Enforcement: [The rules apply to everyone; describe the consequences of ignoring them.]
  • Review: [This protocol is owned by [role] and reviewed [every 6 to 12 months] and after any significant incident.]
  • Acknowledgement: [Where signed acknowledgements are recorded.]
Use in GeneratorView Guide

About this Template

Part of the Security Protocol document collection

Document Type

Security Protocol

The defined steps and rules for handling security in a specific area.

Complexity

moderate

Format

procedure