An organization's information security policy is a set of directives, regulations, rules, and practices that say how information is managed, protected and shared. An information security policy (ISP) is a set of rules and procedures that tell employees how to use the organization's information technology, such as networks and applications, in a way that protects data privacy, integrity, and availability.
Effective IT Security Policy is a model of the organization's culture, in which the way employees handle their information and work drives the rules and procedures. So, an effective IT security policy is a document that is unique to each organization and is based on how its people feel about risk, how they see and value their information, and how they keep that information available.
To be effective, an information security policy should:
Include all of the security procedures in the company.
Be practical and easy to follow.
Be updated regularly to keep up with business needs and new threats.
Maintain your company's focus on its business objectives.