A basic security policy should include:

Password policy

Acceptable Use Policy for email, internet browsing, social media, etc.

Access and control of proprietary data and client data

Access to company data from remote locations, or on non$-$corporate devices

Physical security protocols for doors, dealing with visitors, etc.

Understanding data classification $($What is critical and private data?$)$

How to deal with and report lost or stolen devices

How to handle and report a suspected security breach or data loss

Requirements and expectations for Security Awareness Training

Use of third$-$party cloud or file sync services such as Gmail, Dropbox, etc.

Requirements for encryption and computer locking procedures $("$What Should Be Included," n$.$d$.)$