Formulate security policy - Benefit is it provides security framework to implement security

One of the definitions of security policy from RFC 2196 is: "A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide."

Now that you are aware of your objectives from the previous step, it is much easier to set a security policy within the framework of your needs. A good policy should make sense, should be easily understandable and should align with company's overall business goals. There are three types of policies: Regulatory - mandated by legal requirements, Advisory - Acceptable practices and consequences of violation, Informative - Not enforceable, provides information.

A good policy (some are borrowed from Cisco) should contain:

Statement of authority and scope

Acceptable use policy

Identification and authentication policy

Internet use policy

Corporate network access policy

Remote access policy

Incident handling policy

Policy is very powerful because it is a tool you can use to reduce the security cost!. As an example if the cost of implementing instant messaging security is too high, we could have policy disallowing the use of instant messaging which literally costs nothing.

Thought 5: Without policy, can a company be legally empowered to pursue a lawsuit against misuse?