The top-level policy is designed to bring together all the common themes of operational risk management across all the operational risk management disciplines. Security policy is the logical embodiment of the enterprise business requirements for security and control. On one level a security policy appears to just be words on a piece of paper, a purely physical document that lives in the filing cabinet somewhere in your office or on the Intranet. Through the long experience of working in a wide range of client organizations, the authors have seen many ways of structuring security policies. The level for policies refers to the certification authorities and registration authorities that one would expect in an enterprise security architecture built around the concept of public key infrastructure and digital certificates. The least-privilege principle is a longstanding security policy principle that you will find stated in any serious text on information security and without a doubt, it is an important principle in all circumstances.