Samples and Templates
Policy templates and sample language that can be used by agencies to develop or strengthen their internal policies, procedures and practices.
These samples should be modified to best meet the agency's business needs. It is recommended that the policy language be developed in consultation with your Legal Office, Human Resources, Labor Relations, Equal Employment Opportunity Office, Executive Management, Information Security Officer, Chief Information Officer, and Information Technology staff.
Topics on this page
- Sample Asset Management Forms
- Sample Agreements and Contract Language
- Sample Request for Proposal and Request for Offers
- Information Security Policy Templates
- Incident Management
- Other Resources for Incident Management
Sample Asset Management Forms
- Employee Appointment Checklist (.doc, 39K)
- Record of Property Issued to State Employee (.doc, 74k)
- Employee Exit Checklist (.doc, 120k)
- Management Directive and Procedures for Handling Confidential Documents (.doc, 43k)
Sample Agreements and Contract Language
Sample agreements and model language to include in contracts that require information security provisions provided by the California Office of Information Security and other government agencies.
- Guideline for Establishing Data Exchange and System Interconnection Agreements Between Government Agencies (.doc, 2mb)
- BL-04-35 Contract Provisions (.doc, 31k)
- HIPAA Contract Provisions (.doc, 52k)
- Business Associate Agreements for HIPAA Privacy Rule (link to Department of Health and Human Services website)
- Model Contract Language (link to Department of General Services website)
Sample Request for Proposals (RFPs) and Request for Offers (RFOs)
Sample RFPs for seeking assistance with information security functions (such as risk assessments, and network scanning and penetration testing) provided by the State Information Security Office and other state agencies.
- Sample Risk Assessment RFP (.doc, 260k)
- Sample Security Assessment RFO (.doc, 241k)
- Instructions and Considerations for Preparing a Statement of Work with Samples (.pdf)
- Security and Confidentiality Statement for Vendors (.doc, 38KB)
Information Security Policy Templates
Policy development templates provided by the State Information Security Office and other California state agencies.Outline of Security Policy Components
- Security Policy Outline (.doc, 29k)
- Acceptable Use Policy Template (.doc, 52k)
- Employee Acknowledgement (.doc, 29k)
Other Resources for Information Security Policy Development
Policy Development Projects and Resources (Provided by various non-profit organizations)
- National Institute of Standards and Technology (NIST) - Computer Security Policy Guidance (link to NIST website, Special Publication 800-12, Chapter 5)
- SysAdmin, Audit, Network, Security (SANS) Policy Project (link to SANS website)
Sample incident management related forms and tools provided by the State Information Security Office and other California state agencies.
- Incident Cost Estimator Workbook (.xls, 42K)
- Incident Response Plan Example (.doc, 38k)
- Incident Communications Log (.xls, 16k)
- Sentinel Computer Collection Information Form (.doc, 205k)
- Sample breach notification templates. See the Security Breach Reporting and Notification Requirements for State Agencies
Other Resources for Incident Management
Incident Management Resources (Provided by various non-profit organizations)
- The NIST Federal Agency Security Practices (FASP) Resource Library offers guidance, samples and templates, and examples on a number of security topics including incident management like the Sample Generic Policy and High Level Procedures for Incident Response (.doc). More NIST and FASP Examples are offered in their digital archive (links to NIST-FASP website)
- The Computer Forensics & Digital Evidence Toolkit (links to Computer-Forensics, Privacy Resources website)
The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.