Security Policy
Identifies what is valuable (assets)
Identifies the steps to safeguard assets
Assigns responsibility for protections
Assigns responsibility for policy changes
Defines the structure for applying policy
* Source: Garfinkel and Spafford, Practical UNIX and Internet Security. O’Reilly & Associates, Inc., Sebastopol, CA, 1996.
Each employee is responsible for protecting from unauthorized disclosure or use
the information and materials that are required to access protected company assets.