Combined Policy Pack
Aligned to: HIPAA Security Rule (45 CFR Part 164, Subpart C) & CIS Controls v8
This pack consolidates 22 policies governing how Dunder Mifflin protects the confidentiality, integrity, and availability of its information, including electronic protected health information. Each policy below is maintained as a standalone document.
Information Security Policy
Master governance policy establishing the security program and risk-management process.
Acceptable Use Policy
Rules for appropriate use of company systems, devices, email, and internet.
Artificial Intelligence (AI) Acceptable Use Policy
Governs how workforce members may use AI and generative-AI tools, with strict rules for protecting sensitive and regulated data.
Workplace Monitoring & Employee Consent Policy
Establishes the company's right to monitor its systems, devices, data, and usage — and the consent each workforce member attests to.
California Workplace Privacy & Monitoring Addendum
California-specific privacy, consent, and notice requirements that supplement the Workplace Monitoring policy for California workforce members.
Access Control & Identity Management Policy
Provisioning, least privilege, and de-provisioning of system access.
Password & Authentication Policy
Password strength, MFA, and credential-handling requirements.
Data Classification & Handling Policy
Classifying data by sensitivity and the handling rules for each tier.
Data Encryption Policy
Encryption standards for data at rest and in transit.
Asset Management Policy
Maintaining an accurate inventory of hardware and software assets.
Secure Configuration Policy
Hardening baselines for systems, applications, and network devices.
Vulnerability & Patch Management Policy
Identifying, prioritizing, and remediating vulnerabilities and patches.
Malware Defense & Endpoint Protection Policy
Anti-malware, EDR, and endpoint protection requirements.
Audit Logging & Monitoring Policy
Collecting, protecting, and reviewing audit logs.
Network Security Policy
Firewalls, segmentation, wireless, and remote-access controls.
Backup & Data Recovery Policy
Backup frequency, retention, encryption, and restore testing.
Incident Response Policy
Detecting, reporting, and responding to security incidents and breaches.
Security Awareness & Training Policy
Required security training and phishing awareness for the workforce.
Business Continuity & Disaster Recovery Policy
Maintaining operations and recovering systems after a disruption.
Breach Notification Policy
How suspected breaches are assessed and how individuals, regulators, and partners are notified within required deadlines.
Vendor & Business Associate Management Policy
Risk-assessing vendors, requiring Business Associate Agreements, and reviewing third parties that access company data.
Data Retention & Secure Disposal Policy
How long records and data are retained, and how data, devices, and media are securely destroyed at end of life.