Need for a Security PolicyA security policy is defined as “The framework within which an organization establishes the necessary levels of information security to achieve desired privacy objectives ". The main purpose of a security policy is to update users, staff and managers of the mandatory obligations for the protection of the technological and information assets of their company. The policy must clearly specify the ways in which these requirements can be met. Another purpose of security policy is to provide a standard by which to capture, configure, and verify computer systems and networks for compliance with the policy. Therefore, an attempt to use a set of security tools in the absence of at least an implicit security policy is meaningless. It also defines what should be done when the user misuses the network, if an attack occurs on the network or if there are any natural outages of the network. How is security policy formed? The above diagrams provide a detailed explanation of how an effective security policy can be formed. People responsible for forming a security policy. For a security policy to be enforceable and operational, it requires acceptance and support from employees at all levels within the organization. Corporate management support is critical to the security policy process, otherwise there is little chance that it will have the desired effect. Below is the list of people who need to be involved in the creation of security policy documents.1. Site Security Administrator.2. IT technical staff (for example, computer center staff)3. Administrators of large user groups within the organization (e.g., business divisions, IT department within a university, etc.)4. Security included... half paper... to be viable in the long term, it requires a lot of flexibility based on an architectural security concept. A security policy should be (largely) independent of specific hardware and software situations (since specific systems tend to be replaced or moved from one day to the next). Mechanisms for updating the policy should be clearly spelled out. This includes the process, the people involved, and the people who need to approve the changes. References: http://www.zdnet.com/news/seven-elements-of-highly-effective-security-policies/297286 Seven Elements of an Effective Information Security Policy Management Program By David J. Lineman http: //www.networkworld.com/community/node/38842 http://en.wikipedia.org/wiki/Security_policy http://docs.oracle. com/cd/B19306_01/network.102/b14266/politips.htm http://searchsecurity.techtarget.com/tip/Whos-responsible-for-security-Everyone