The cornerstone of effective information security architecture is a well-written policy statement. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any foundation, it is important to establish a strong footing. As will be discussed, a policy performs two roles: one internal and one external.