Definitions Edit

An information security policy is

[a] high-level policy of an organization that is created to support and enforce portions of the organization's Information Management Policy by specifying in more detail what information is to be protected from anticipated threats and how that protection is to be attained.[1]
[the a]ggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information.[2]

Overview Edit

"For example, the information security policy for financial data processed on DoD systems may be in U.S.C., E.O., DoD Directives, and local regulations. The information security policy lists all the security requirements applicable to specific information."[3]

References Edit

  1. NIST Special Publication 800-152, at 131.
  2. CNSSI 4009, at 33.
  3. DoD Instruction 5200.40, at 11 (E2.1.29).
Community content is available under CC-BY-SA unless otherwise noted.