operational policy
Security policies are the foundation of an information security program. Along with a program charter, properly implemented security policies serve as the guiding principles for an organization to provide assurances of information security and privacy to stakeholders.
In addition to the assurance capabilities possible via effective security policies, they also offer high-level guidance for the expected professional conduct of any person interfacing with technology and/or data on behalf of an organization. By ensuring these policies are in place, and enforced, organization's are meeting their ethical (and legal) obligations to provide due-diligence and due-care in protecting the data of their stakeholders.
In addition to the assurance capabilities possible via effective security policies, they also offer high-level guidance for the expected professional conduct of any person interfacing with technology and/or data on behalf of an organization. By ensuring these policies are in place, and enforced, organization's are meeting their ethical (and legal) obligations to provide due-diligence and due-care in protecting the data of their stakeholders.
SANS MGT514 (n.d.). Policy Pyramid
