Security policy is the logical embodiment of the enterprise business requirements for security and control. It can therefore be something that, once determined, is a key driver of the operational security management program. This chapter looks at various aspects of security policy and how to manage it. In this chapter you will learn about:

Security policy as the logical model of your business requirements

How to use a security policy to develop a strong security culture

How to use risk assessment as the means to select the appropriate level of security policy

How to construct a hierarchical security policy architecture that is aligned with the layers of the SABSA Model

How to set up an organizational structure that supports the creation, implementation and management of security policy

How to manage security policy in an environment of outsourced technical services, like the cloud.