The IT Law Wiki


Computer security[]

Policy is

senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting and organization's e-mail privacy policy or fax security policy.[1]
[o]rganizational-level rules governing acceptable use of computing resources, security practices, and operational procedures.[2]


A policy is

a formal document describing roles, responsibilities, standards, and enforcement mechanisms with regard to a particular issue.[3]
[t]he principles and values that guide the performance of a duty. A policy is not a statement of what must be done in a particular situation. Rather, it is a statement of guiding principles that should be followed in activities that are directed toward the attainment of goals.[4]
a high level, strategic statement, authorized by the executive management that dictates what type of position the organization has taken on specific issues.[5]
[t]he set of authoritative directives related to a topic including statute, regulation, executive directions, and applicable managerial decisions, both foreign and domestic.[6]
[g]uidance that is directive or instructive, stating what is to be accomplished. It reflects a conscious choice to pursue certain avenues, and not others. Policies may change due to changes in national leadership, political considerations, or for fiscal reasons.[7]
[s]tatements, rules or assertions that specify the correct or expected behavior of an entity. For example, an authorization policy might specify the correct access control rules for a software component.[8]


  1. NIST Special Publication 800-18, at 33.
  2. Information Technology Security Handbook, Annex 1, Glossary.
  3. Information Security Guide 2 - Glossary.
  4. U.S. Department of Justice, Minimum Criminal Intelligence Training Standards for Law Enforcement and Other Criminal Justice Agencies in the United States 43 (Ver. 2) (Oct. 2007) (full-text).
  5. Newfoundland-Labrador, Office of the Chief Information Officer, Information Management and Information Protection Glossary of Terms (full-text).
  6. NSTAC Report to the President on Cloud Computing, at C-4.
  7. Air Force Supplement to the Department of Defense Dictionary of Military and Associated Terms, at 51.
  8. NISTIR 7621 Rev. 1, at A-3.

See also[]