Who owns developing the security policy and getting it accepted? Senior management. Ultimately, no policy will be acceptable unless it is accepted and promulgated by senior management. Of course, in practice, the board of directors will not generally develop the policy. Rather, they will delegate that responsibility to some person, or more likely, body of persons, who will develop the policy and then present it for approval to the board and senior management. However, the key point is that security policy starts and ends with senior management. It must be part of the corporate structure and accepted as such; otherwise , it will not be followed and is unenforceable. A policy also must be grounded in the corporate legal reality. In essence, while senior management promulgates the policy, the corporate lawyers are actually the ones who write it.