Definition: Information Security Policy is a phrase that refers to a set of rules, controls or requirements that govern how an organization can achieve the safe management of its digital resources and assets. Adopting controlling statements to provide a framework for assuring the confidentiality, integrity and availability of data resources for decision-making is a necessity. Among the elements of data assurance would be an asset inventory, a comprehensive risk assessment, appropriate use, encryption, incident response, safe work practices, change management, forensics business continuity plans and more. There are a number of models to follow: COBIT, ISO 17799/27000 and FISMA. Information security policy must be a business process.
Its Relevance: Organizations, today, must acknowledge the need to deploy information security practices. We live in an asymmetric threat environment. In addition, it is a basic fiduciary responsibility of an organization to assure the survival of the business or organization. State and federal laws now exist (e.g. Florida's Information Protection Statute, 501.171) To ignore information assurance is negligent. An organization that fails to practice due diligence it might be found liable for losses.