Vanta policy template instructions
This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.
For each policy section
Consider if this section and its corresponding risks applies to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.
Replace any highlighted text in angled brackets < >1 with your own language
Rewrite the policy language such that it reflects the practices of your organization
Policy completion checklist
Use Find to make sure that all text in angled brackets is replaced
Proofread your policy for spelling and grammar mistakes
Confirm that the policy’s content reflects your organizations practices
Add any company-specific letterhead, branding, and formatting
Remove this instructions page
Export this document as PDF — File > Save As > Change “File Format” to PDF
Upload the PDF to Vanta at https://app.vanta.com/policies
More questions?
A good rule-of-thumb is to keep your language high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.
...
| Anchor | ||||
|---|---|---|---|---|
|
All <Company Name> information systems that are business critical and/or process, store, or transmit company data. This Policy applies to all employees of <Company Name> and other third-party entities with access to <Company Name> networks and system resources.
| Anchor | ||||
|---|---|---|---|---|
|
Documented Operating Procedures
...
| Anchor | ||||
|---|---|---|---|---|
|
Systems and networks shall be provisioned and maintained in accordance with the configuration and hardening standards described in Appendix A4 to this policy.
...
| Anchor | ||||
|---|---|---|---|---|
|
In order to protect the company’s infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
...
| Anchor | ||||
|---|---|---|---|---|
|
The need for backups of systems, databases, information and data shall be considered and appropriate backup processes shall be designed, planned and implemented. Backup procedures must include procedures for maintaining and recovering customer data in accordance with documented SLAs5. Security measures to protect backups shall be designed and applied in accordance with the confidentiality or sensitivity of the data. Backup copies of information, software and system images shall be taken regularly to protect against loss of data. Backups and restore capabilities shall be periodically tested, not less than annually.
...
| Anchor | ||||
|---|---|---|---|---|
|
Production infrastructure shall be configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and reviewed through manual or automated processes as needed. Appropriate alerts shall be configured for events that represent a significant threat to the confidentiality, availability or integrity of production systems or Confidential data.
...
Log user log-in and log-out
Log CRUD (create, read, update, delete) operations on application and system users and objects
Log security settings changes (including disabling or modifying of logging)
Log application owner or administrator access to customer data (i.e. Access Transparency)
Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
Logs must be stored for at least 30 days, and should not contain sensitive data or payloads
Protection of Log Information
...
| Anchor | ||||
|---|---|---|---|---|
|
The installation of software on production systems shall follow the change management requirements defined in this policy.
| Anchor | ||||
|---|---|---|---|---|
|
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk. A variety of methods shall be used to obtain information about technical vulnerabilities, including <vulnerability scanning, penetration tests, review of external vendor alerts, and the bug bounty program>.
...
Vulnerabilities assessed by <Company Name> shall be patched or remediated in the following timeframes12:
Determined Severity | Remediation Time |
Critical | 30 Days |
High | 30 Days |
Medium | 60 Day |
Low | 90 Days |
Informational | As needed |
...
| Anchor | ||||
|---|---|---|---|---|
|
Rules governing the installation of software by users shall be established and implemented in accordance with the <Company Name> Information Security Policy13.
| Anchor | ||||
|---|---|---|---|---|
|
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.
...
Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy14.
The company shall perform an annual network security assessment that includes a review of major changes to the environment such as new system components and network topology.
| Anchor | ||||
|---|---|---|---|---|
|
Requests for an exception to this policy must be submitted to the <approver of exceptions to this policy, e.g., IT Manager> for approval.
| Anchor | ||||
|---|---|---|---|---|
|
Any known violations of this policy should be reported to the <person who should receive reports of violations of this policy, e.g., IT Manager>. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
...
Servers and Virtual Machines16
This is the standard for system-level server and virtual server (VM) configuration hardening. Some customization to these settings may be required to configure the system for its specific target environment, such as setting the proper names, groups, authentication settings, and other personalization options.
...