A security policy should not allow room for misunderstanding so that there is universal understanding of the policy and consistent application of security principles across the company.
A Security policy should have, at minimum, the following sections.
- Overview: Provides background information on the issue that the policy will address.
- Purpose: Specifies why the policy is needed.
- Scope: Lays out exactly who and what the policy covers.
- Target Audience: Advises for whom the policy is intended.
- Policies: This is the main section of the document, and provides statements on each aspect of the policy. For example, an Acceptable Use Policy might have individual policy statements relating to Internet use, email use, software installation, network access from home computers, etc.
- Definitions: For clarity, any technical terms should be defined.
- Version: To ensure consistent use and application of the policy, include a version number that changes with any changes to the policy.