Establish how management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.
Explain how policies direct how issues should be addressed and how technologies should be used.
Emphasize that they should not explain the proper operation of hardware or software. This information should be placed in standards, procedures, and systems documentation.
State that policies should never contradict laws because they must be properly administered through dissemination and documented acceptance.
Explain that quality security programs begin and end with policy.
Report how security policies are the least expensive control to execute, but the most difficult to implement properly.