The IT Law Wiki


A security policy is

the set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. A security policy addresses information classification, protection, and periodic review to ensure that information is being stewarded in accordance with an organization's privacy policy.[1]
[a] rule or set of rules that govern the acceptable use of an organization's information and services to a level of acceptable risk and the means for protecting the organization's information assets.[2]
[a] set of rules that govern security-relevant behavior. The rules can be stated at very high levels (e.g., an organizational policy defines acceptable behavior of employees in performing their mission/business functions) or at very low levels (e.g., an operating system policy that defines acceptable behavior of executing processes and their use of resources).[3]


"A complete security policy will necessarily address many concerns beyond the scope of computers and communications."[4]

A security policy covers the following (among other topics appropriate to the organization):

  • high-level description of the technical environment of the site, the legal environment (governing laws), the authority of the policy, and the basic philosophy to be used when interpreting the policy
  • risk analysis that identifies the site's assets, the threats that exist against those assets, and the costs of asset loss
  • guidelines for system administrators on how to manage systems
  • definition of acceptable use for users
  • guidelines for reacting to a site compromise (e.g., how to deal with the media and law enforcement, and whether to trace the intruder or shutdown and rebuild the system).

Privacy policy vs. security policy[]

"A privacy policy is different from a security policy. Although security policies protect certain aspects of privacy, their main function is to protect organizational assets and the organization's reputation. They do not focus on protecting individuals from harm, consider whether personal information should be gathered or collected in the first place, address data quality, specify how information and intelligence should be used or stored and with whom it should be shared, or establish policy on retention. A comprehensive privacy policy will address both security and privacy, including key privacy, civil rights, and civil liberties protection issues."[5]


See also[]