This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Information Security Policy - A Development Guide for Large and Small Companies A security policy should fulfill many purposes. It should: protect people and information; set the rules for expected behaviour by users, system administrators, management, and security personnel; authorize security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and help track compliance with regulations and legislation. .