This policy from TechRepublic Premium will help you create security guidelines for devices that transport and store data. You can use it as-is or customize it to fit the needs of your organization and employees.

From the policy:

The IT department will be responsible for implementing, adhering to and maintaining these controls. For the purposes of this document, “all devices” refers to workstations, laptops, servers, switches, routers, firewalls, mobile devices and wireless access points.

Where possible, these guidelines will apply to external remote systems and cloud services.

CONFIGURATION GUIDELINES

All devices should be configured using strong administrative controls, including complex passwords or SSL keys (which must be kept in a centralized password/key database that only the IT department can access). These passwords/keys must be rotated every 90 days or when an IT staff member has been terminated.

All devices should be set up with a ‘least privilege necessary’ model, whereby access is provided only to employees who require it to do their jobs. Administrator accounts should be kept to a minimum and provided only to authorized members of the IT department (or elsewhere if approved by IT).