There should be an overall policy that establishes the direction of the ORGANIZATION and its security mission as well as roles and responsibilities. There can ALSO be system-specific POLICIES to address for individual systems. Most importantly, the policies should address the appropriate use of computing resources. In addition, policies can address a number of security controls from passwords and backups to proprietary information. There should be clear procedures and processes to follow for each policy. These policies should be included in the employee handbook and posted on a READILY ACCESSIBLE intranet site.

There should be an overall policy that establishes the direction of the organization and its security mission as well as roles and responsibilities. There can also be system-specific policies to address for individual systems. Most importantly, the policies should address the appropriate use of computing resources. In addition, policies can address a number of security controls from passwords and backups to proprietary information. There should be clear procedures and processes to follow for each policy. These policies should be included in the employee handbook and posted on a readily accessible intranet site.