The need for policy
Security is not the result of wishful thinking, nor is it the result of well-intentioned technical staff members who believe they know how to secure computers. Because security is relative, it can be achieved only by setting goals to measure it against. Those goals become security policies. More formally, a policy is a guidance statement, endorsed by an executive, which provides clear but flexible guidance for determining technology and operation-specific security standards. Standards are supported by procedures. Chapter 3, "Security Policies," describes the structure and content of security policies, as well as the manner in which they should be determined.
Security is not the result of wishful thinking, nor is it the result of wellintentioned technical staff who believe they know how to secure computers.