A security policy is
|“||[a] rule or set of rules that govern the acceptable use of an organization's information and services to a level of acceptable risk and the means for protecting the organization's information assets.||”|
|“||[a] set of rules that govern security-relevant behavior. The rules can be stated at very high levels (e.g., an organizational policy defines acceptable behavior of employees in performing their mission/business functions) or at very low levels (e.g., an operating system policy that defines acceptable behavior of executing processes and their use of resources).||”|
A security policy covers the following (among other topics appropriate to the organization):
- high-level description of the technical environment of the site, the legal environment (governing laws), the authority of the policy, and the basic philosophy to be used when interpreting the policy
- risk analysis that identifies the site's assets, the threats that exist against those assets, and the costs of asset loss
- guidelines for system administrators on how to manage systems
- definition of acceptable use for users
- guidelines for reacting to a site compromise (e.g., how to deal with the media and law enforcement, and whether to trace the intruder or shutdown and rebuild the system).
- NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
- NIST Special Publication 800-160, at B-11.
- Glossary of Security Terms, Definitions, and Acronyms, at 219.
- "Overview" section: US-CERT,"Security of the Internet" (full-text).
- "Privacy" section: Privacy and Civil Liberties Policy Development Guide and Implementation Templates, App. E, Glossary.