Security policies are documents that dene the nal “what” that must be accomplished with regard to your organization’s information protection strategy. You will also need to create supporting documents that provide the “who, how, why, when, and where” information necessary to meet your policy requirements. ese supporting documents will outline the following:
• Information systems roles and responsibilities • Who has access to what information • Acceptable usage for your employees • Standards to which all employees must adhere • Procedures to actually carry out the specic policies, standards,
and guidelines Some people might say, “We know what our security needs and
technologies are so we don’t need formal policies.” is could not be further from the truth. Security policies should come rst. Technically
they usually come second in mid-to large-sized organizations, after your formal risk analysis, but they should be a top priority nonetheless. Security technologies are merely a way to enforce your policies and should not be seen as the only requirement for adequate security.