How to Cheat at Managing Information Security

As mentioned, the security policy is driven by the security strategy. The security policy sets rules on how we treat information security. A good security policy is:
Directive It should read like a set of rules, in very plain, forceful English. It is definitely not a discussion document, and we are not asking for compliance; it is simply a condition of working in your company.
Abstracted from technology The policies should be written so that operating systems can be changed or augmented without a need for any changes to policy. The technology is just a tool.
Supported You must ensure that the management signs off on the policy. Worse still, it is likely to be your job to ensure that management is compliant.
Implemental Policies must be capable of being complied with, in a reasonable and constructive may.
Owned Someone must own the document, its updating, and its enforcement.
A good policy should contain the components shown in the following sidebar. It is a good idea to stay with this format.
A good security policy includes the following components:
Objective/purpose This states clearly the purpose of the policy by indicating what it is designed to protect the organization from.
Scope This typically says something like this policy applies to all permanent and contract employees.
Policy statements See the section in this chapter...