ABSTRACT
Every information security management textbook starts with the same basic advice on implementing an effective organizational security program—begin with policies. The highest level of the information security policy reflects the organization’s vision of security, its objectives for security, and its management strategy for securing information. Security policies ensure that the various parts of an organization perform security activities in a standard way rather than each group developing their own procedures within isolated silos. Organizations vary greatly in what is permissible and prohibited in terms of activities with the potential to create security risks. The cost of developing a set of high-level information security policies for larger or complex organizations can be very expensive. A number of factors may influence the cost of developing and maintaining information security policies. A small organization with limited resources may elect to use a prewritten information security policy template as the basis for its policy development process.
