For most organizations, maintaining security is an integral part of day-to-day business. Many organizations would fail if their security was seriously compromised. 

To reduce the likelihood of security failures, the security implementation process has been formalized to some extent through a hierarchical organization of documentation. Each level focuses on a specific type or category of information and matter. To lay the foundation of a robust and reliable security infrastructure security policies, standards, procedures, and guidelines are developed and implemented. This formalization significantly reduces the confusion and complexity of designing and implementing IT infrastructure security solutions.

Within this post you will learn what security policies are and how they fit into the organization’s IT governance.

We will go into more detail about how to ensure effectiveness of these documents in a future post.



Governance is a fundamental subject matter when discussing policies, it is an integral part of an organization’s strategy and goals. Governance ensures that IT supports and scales the strategy. Included within this underlying subject’s scope is every process that uses IT equipment, all stakeholders or users of IT equipment, and the IT equipment itself.

Governance needs to be implemented in several ways, one of which is writing and rolling out policies. These guidelines are the ones that must be followed when operating within its scope.

Security Governance

The top-level formalization of security governance is called security policy. A security policy is a document that defines the scope of security required by an organization and discusses the assets, that are to be protected and the extent to which the security solution should provide the required protection. A security policy is an overview of an organization’s security requirements. It defines key security objectives and outlines an organization’s security framework. It should clearly define why security is important and which assets are valuable. This is a strategic plan for implementing security. It should outline the security goals and practices that should be employed to protect the vital interests of the organization. Security policies are used to assign responsibilities, define roles, establish audit requirements, outline enforcement processes, specify compliance requirements, and define acceptable risk levels. Security policies are often used as evidence that management has taken appropriate steps to prevent intruders, attacks, and disasters. Additionally, they improve the security measurably. 

To ensure the successful implementation of its overall security structure, different types of security policies are implemented:

  • Organizational security policy
    This policy type focuses on parts of the organization, which impact every part of the organization.
  • Issue-specific security policy
    The focus of this policy is aspects that are distinct from the organization.
  • System-specific security policy
    The scope of this last type of policy is individual systems or types of systems.

Additionally, every security policy can be sorted within one of these three categories:

  • Regulatory
    A regulatory policy is required whenever industry or legal standards are applicable to an organization.
  • Advisory
    A policy categorized as an advisory policy discusses behaviors and activities that are acceptable and defines consequences of violations. It shows and clarifies senior management’s desires for security and compliance within an organization.
  • Informative
    An informative policy is designed to provide information and knowledge about a specific subject. An informative policy simply provides information, which is relevant to a specific element of the overall policy.

These different types of policies are usually complemented by standards, procedures, and policies guidelines which provide more detailed information or hands-on advice on how to secure the organization.
Getting the overall security governance right is crucial as a foundation of an organization’s security posture and fundamental to be compliant as an organization.