Daljeet singh Viraj gaytri Overview/ introduction A security policy is a document that states in writing how a company plans to protect its physical and information technology (IT) assets. Security policies are living documents that are continuously updated and changing as technologies, vulnerabilities and security requirements change. Purpose A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur. A security policy must identify all of a company's assets as well as all the potential threats to those assets. Scope A security policy (also called an information security policy or IT security policy) is a document that spells out the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data. Security policies exist at many different levels, from high-level constructs that describe an enterprise’s general security goals and principles to documents addressing specific issues, such as remote access or Wi-Fi use. Policy A security policy (also called an information security policy or IT security policy) is a document that spells out the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data. Definition A security policy is a document that states in writing how a company plans to protect its physical and information technology (IT) assets. Security policies are living documents that are continuously updated and changing as technologies, vulnerabilities and security requirements change. Responsibility An information security policy is a statement of what you do for information security, not how you do it. How you do it is covered in processes documents. The information security policy is shared with employees, customers, third parties, auditors and more to show your approach to tackling information security. It includes some key elements such as management buy in, security objectives, roles and responsibilities, monitoring and legal and regulatory obligations. It is a straight forward document to write. Revision history Develop a prioritized action plan that will help you organize your efforts. Prepare a summary document of the impact that the information security policy or policies will have on the institution A document revision history table will save you a lot of headaches when it is time to send out your document for review. Reviewers, especially in hi-tech companies, are very busy people.