AN INFORMATION TECHNOLOGY (IT) security policy framework is the foundation of an organization's information security program. The framework consists of a library of documents. Organizations can use the framework to help build processes and acquire technology to enforce policies. The framework is also useful for putting security personnel in place to operate and maintain the program.

Organizations cannot afford to be reactive or operate in an ad-hoc fashion regarding information security. There's increased accountability and liability with regulations. There's increase demand from senior leadership to demonstrate value. There's a push and drive from security professionals to measure success. However, before ...