A well-developed security policy is one of the most important security tools that an organization can employ. However, policy cannot exist in a vacuum and needs supporting documentation. Understanding the relationship between policies, standards, baselines, guidelines, and procedures is essential to ensure that corporate IT security is supportable and enforceable.

Policies

Policies form the basis of any set of security documents. They outline, in generalized

terms, the enterprise's goals with regards to the security that it wishes to achieve and the methods by which it will be achieved. Policies also indicate how and by whom security will be managed. Policies are generally fixed. The information assets that are protected may change, as may the tools that are used to protect them, but the corporate incentive to provide protection will remain.

The following is an example of a typical policy:

Through definition and application of access permissions, unauthorized usage can be controlled, reduced, and