Industry associations, think tanks, listservs and public universities can be gold mines for policy-generation efforts; when you can't find a broad template, a thoughtful cut, paste and modification of someone else's policy can be easier than starting from scratch.
"Policies is one place where plagiarism is totally OK," says Joe Filer, RackSpace director of corporate security.
We agree, as long as you choose intelligently and customize for your organization. Typically, publicly posted policies have been "sanitized," so specific organization identification is removed from the policy.
The SANS Institute think tank provides policy templates to the public, while the Help Desk Institute's templates are available only to paying members. "HDI has an interactive library that allows folks to upload and create Wiki-type documents, so that it can grow in value over time," says Ron Muns, HDI's CEO. Someone might start a document containing best practices for automated password resets, and someone else might finish it.
Look to groups with specific subject matter (for example, check out SANS for security policies and HDI for service and support policies), rather than simply Googling--you're more likely to find a quality, vetted policy through specialized organizations.
On the other hand, if you need a policy relevant to your industry, check industry IT user groups and listservs rather than groups that cater to various IT subject areas. A policy on bank auditing of automated deposits to your PeopleSoft system, for example, would be better found though a banking group than through a site that deals with PeopleSoft.
