Security Policies Every organization has something that someone else wants. Someone might want that something for himself, or he might want the satisfaction of denying something to its rightful owner. Your assets are what need the protection of a security policy. Determine what your assets are by asking (and answering) the following questions: What do you have that others want? What processes, data, or information systems are critical to you, your company, or your organization? What would stop your company or organization from doing business or fulfilling its mission? The answers identify assets in a wide range, including critical databases, vital applications, vital company customer and employee information, classified commercial information, shared drives, email servers, and web servers. A security policy comprises a set of objectives for the company, rules of behavior for users and administrators, and requirements for system and management that collectively ensure the security of network and computer systems in an organization. A security policy is a "living document," meaning that the document is never finished and is continuously updated as technology and employee requirements change. The security policy translates, clarifies, and communicates the management position on security as defined in high-level security principles. The security policy acts as a bridge between these management objectives and specific security requirements. It informs users, staff, and managers of