Security Policy

While I have a good outline for a “generalized” security policy, does anyone have an outline addressing Virtual Private Networks used by remote access clients (only), and employing strong authentication of a non-specific nature…..?