ABSTRACT
Most information security practitioners normally think of security policy development in fairly narrow
terms. Use of the term policy development usually connotes writing a policy on a particular topic and
putting it into effect. If practitioners happen to have recent, hands-on experience in developing
information security policies, they may also include in their working definition the staffing and
coordination of the policy, security awareness tasks, and perhaps policy compliance oversight. But is
this an adequate inventory of the functions that must be performed in the development of an effective
security policy? Unfortunately, many security policies are ineffective because of a failure to acknowledge
all that is actually required in developing policies. Limiting the way security policy development is
defined also limits the effectiveness of policies resulting from this flawed definition.