Definition: Security Policies, ideally, must exist in every organization. They cover how the confidentiality, integrity and availability of information is to be provided within an organization. Everything related to information, from creating, processing, transmitting and storing, should be covered in the organization’s official rules. Without the official requirements and guidelines for the processing of information even the most basic information assurance activities are impossible to perform.
Information security must be thought of as a business process.
Its Relevance: One of the first questions that an attorney or a judge would ask in a liability lawsuit related to information assurance would be, “Are there any official rules or procedures in the organization related to the processing of information resources”? The answer to the question goes a long way to determine if the infrastructure owner meets the test of due diligence.