The security policies that exist on your network provide the stable foundation upon which the details of hardening your network are built. Your security policies define not only what can be done with your network resources, but what cannot be done.
Security policies should be written and developed by a security committee, which should first conduct a risk analysis and then use that information to develop effective security policies. Your security policies should provide information regarding how to prevent a security incident from occurring as well as defining what to do in the event that a security incident occurs. You can ensure that your security policies cover the needs of your enterprise by addressing seven sections in all your security policies: the overview section, purpose section, scope section, policy section, enforcement section, definitions section, and revision history section.
Finally, you should identify and address the issues that commonly cause a security policy to fail to ensure that your security policies avoid those pitfalls.