This chapter discussed security policies. You need to remember a few important points from this chapter. First, everything we do in information security is effectively risk management. As we stated in Chapter 1, you cannot ever hope to secure a network. The best you can hope for is to protect it against the threats that you understand and have chosen to mitigate. To guide you in this quest, you need a security policy. Actually, you need several of them, and they need to be written specifically for the audience you intend to read them. Finally, a policy with no enforcement is useless, so your users must have access to the policy, must understand the policy, and they must have access to the procedures necessary to comply with the policies and must know they are enforced.