What Are Information Systems Security Policies?

Security policies are actually a collection of several documents. They generally start with a set of principles that communicate common rules across the enterprise. It is these principles that governance routines use to interpret more detailed policies. Principles are expressed in simple language. An example may be an expression of risk appetite by employing the “need-to-know” approach to the granting of access. From these security principles flow security policies that detail how the principles are put into practice.

When combined, these policy documents outline the controls, actions, and processes to be performed by an organization. An example is the requirement that a customer provide a receipt ...

Get Security Policies and Implementation Issues, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.