Security policies should be site-tailored and should take into account the site’s circumstances and computing environment. Although most terms and conditions differ from site to site, the following are general recommendations that are true for almost all circumstances.
Every device or piece of software should have a real person responsible for it and caring about it (at least in principle). This means that someone should be accountable in case some Ethernet switch somewhere on your network was misconfigured or was not connected to a UPS when it should have been. This also means that someone should be responsible for updating software and applying patches.