This document provides a framework for creating a set of policies and procedures focused on the security of an organization’s information. Each supporting policy must meet the requirements set out in this document.

This sample policy applies to information security within company operating units and entities with direct, indirect, or implied access to information assets owned by or entrusted to a company. It defines expectations of an organization with respect to information security. The objective is to guide human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions.