Security policies are written definitions of expectations and principles for the protection of corporate assets from various threats and vulnerabilities. It defines how the confidentiality, integrity, and availability of information are maintained, and how rules of behaviour of system and information users, developers, administrators, security personnel, and management are set.
A security policy is a document which is never finished, but is continuously updated as technology and employee requirements change. Information Security policies underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within an enterprise.
Any organisation's mission-critical information needs to be backed up securely and reliably and a contingency plan needs to be developed to make sure operations can resume quickly after a compromise or disaster. IT security policy / Network security policy plays an important role here.
If the IT system is attacked, then the data will corrupt, which could result in loss of revenue or even render organisation incapable of functioning. If IT systems are compromised (e.g. web sites, customer databases), organisation's reputation will be at stake and that would result in severe consequences.
By setting guidelines and standards, security policies help developers create secure code and instruct systems personnel in safely configuring host systems, networks, enterprise applications, e-mail, and databases. It then becomes inevitable for any company or corporate to design its security policy.
| 
