Why Do Organizations Need Security Policies?

In her 2006 revision of her whitepaper titled “Information Security Policy – A Development Guide
for Large and Small Companies”, author Sorcha Diver, explores the need for security policies for organizations of all sizes and structures.

Security policies will-

  • Help protect assets – people and information
  • Set the rules for expected behaviorĀ for users, system administrators,
    management, and security personnel
  • Authorize security personnel to monitor, probe, and investigate
  • Define and authorize the consequences of violation
  • Define the company consensus baseline stance on security
  • Minimize risk
  • Help track compliance with regulations and legislation

As seen above, security policies are vital and should be an integral part of any organization. They help provide clarity on a company’s security posture from the very top.
And while security policies would vary depending on an organization’s size, culture, and business model, there is no doubt that they are absolutely essential.


Driver, S. (2006). Information Security Policy – A Development Guide
for Large and Small Companies. Retrieved fromĀ https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331