ABSTRACT
Information security policy is the general term referring to any document that conveys an element of the security program in order to enforce organizational security goals and objectives. This chapter utilises the terms policy, standard, procedure, baseline, and guidelines to describe the various information security policy document types. Information security policies are the highest level of information security policy sets. These policies are approved and issued by the senior management of the organization as their expectations for the overall security program, system controls, and user behavior. Organizational level information security policies address the overall information security program and the sensitivity of data. In Information Security Program policy, senior management dictates the required elements of the information security program, assigns responsibilities, and establishes oversight controls. In the Data and System Classification Policy, senior management defines levels of classification for both data and information systems based on the sensitivity of the data and the criticality of the system.
