ABSTRACT
Information security policies represent the expectations of senior management as to how the overall security program, system controls, and user behavior should be implemented. These policies are of the highest level of the information security policy framework. Like many organizational documents that must be approved by senior management, the information security policy should conform to organizational standards. Most organizations have a standard template for policies. The policy statement is the core of the policy document. It is the policy statement that provides the direction, requirement, or order for the minimal security controls of information systems of behaviors of people. Since many of the information security policy statements are derived from reference standards, regulations, and other source documents, a reference section should be added to the end of the policy document. The reference section allows those attempting to implement the policy statements to look up the source documents for clarity or supplemental guidance.
