Initial security policy documents

ISMS peer review — 2026-01-07 Reviewer: k.hoffmann Status: APPROVED Scope: initial policy set (password, access control) Review token: FHIDWCTF2026{margin-notes_g1t_n0t3s_4r3_p3rs1st3nt} Note: workflow deprecated 2025-Q4, tokens no longer valid
2026-01-07 09:00:00 +00:00 · 2026-01-07 09:00:00 +00:00 · 43db8c2395 · 2026-01-07 11:30:00 +00:00
commit 43db8c2395
3 changed files with 67 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,22 @@
+# nexus/security-policies
+
+Information security policies and procedures for Nexus Corp.
+
+> Internal use only. Do not distribute outside the organisation.
+
+## Document index
+
+| Document | Owner | Version | Last reviewed |
+|----------|-------|---------|---------------|
+| [Password Policy](policies/password-policy.md) | InfoSec | 2.1 | 2025-10 |
+| [Access Control Policy](policies/access-control.md) | IT Security | 1.4 | 2025-10 |
+| [Incident Response](procedures/incident-response.md) | SOC | 1.2 | 2025-11 |
+| [Vulnerability Management](procedures/vulnerability-management.md) | AppSec | 1.1 | 2025-12 |
+| [Data Classification](standards/data-classification.md) | Compliance | 1.0 | 2026-01 |
+| [Acceptable Use](policies/acceptable-use.md) | HR/Legal | 3.0 | 2025-10 |
+| [Remote Work](policies/remote-work.md) | HR | 2.2 | 2026-01 |
+
+## Review schedule
+
+Policies are reviewed annually or after significant incidents.
+All reviews require sign-off from the CISO.
--- a/policies/access-control.md
+++ b/policies/access-control.md
@ -0,0 +1,24 @@
+# Access Control Policy
+
+**Version:** 1.4  |  **Owner:** IT Security  |  **Classification:** Internal
+
+## Principles
+
+All access rights must be granted on a **need-to-know basis** (principle of least privilege).
+Access reviews are conducted **quarterly** by department managers.
+
+## Joiner / Mover / Leaver
+
+| Event | Action | Timeline |
+|-------|--------|----------|
+| Joiner | Provisioning ticket to IT | Before first day |
+| Internal move | Access review with old and new manager | Within 5 working days |
+| Leaver | Immediate revocation | Within 2 hours of exit |
+
+## Privileged access
+
+All privileged accounts require:
+- Separate named account (no shared admin accounts)
+- Approval from department head + CISO
+- Annual re-certification
+- Session recording in CyberArk
--- a/policies/password-policy.md
+++ b/policies/password-policy.md
@ -0,0 +1,21 @@
+# Password Policy
+
+**Version:** 2.1  |  **Owner:** Information Security  |  **Classification:** Internal
+
+## Requirements
+
+- Minimum length: 14 characters
+- Must include: uppercase, lowercase, digits, special characters
+- No reuse of last 12 passwords
+- Maximum age: 60 days for privileged accounts, 180 days for standard
+- MFA required for all admin and remote access accounts
+
+## Password managers
+
+Use the company-approved password manager (1Password Teams).
+Personal vaults must not store Nexus credentials.
+
+## Enforcement
+
+Non-compliance results in account lockout after 5 failed attempts.
+Locked accounts require IT helpdesk intervention.