The role of policy is to codify guiding principles, shape behavior, provide guidance for decision makers, and serve as an implementation roadmap. An information security policy is a directive that defines how an organization is going to protect its information assets and information systems, ensure compliance with legal and regulatory requirements, and maintain an environment that supports the guiding principles. The objective of an information security policy and corresponding program is to: 1. Protect the organization, its employees, its customers, and also vendors and partners from harm resulting from intentional or accidental damage, misuse, or disclosure of information; 2. Protect the integrity of the information; and 3. Ensure the availability of information systems. Successful information security policies establish what must be done and why it must be done, but not how to do it. Good poli...