The three general categories of policies involved with information security are: (a) general or security program policies, (b) issue-specific security policies, and (C) system-specific security policies.

A general or security program policy is the overarching information security policy for an organization. This policy provides the foundation for the lower-level and more detailed security policies. The general or security program policy directly supports the organization’s mission or business objectives and has the endorsement of executive management. This policy sets the framework for which the other security policies shall follow and support. Included in this overarching policy is the scope, purpose, roles and responsibilities, any constraints and the applicability of the policy for the organization.

An issue-specific security policy addresses a specific area of technology within an organization, such as email, or use of the internet. The issue-specific security policy contains a brief description of the issue and instructions for the proper use of the associated technology.   Due to rapid developments in technology, this policy will require frequent updates to remain current and relevant. Issue-specific policies may also detail the prohibited use of technology or equipment in addition to the acceptable use. Issue-specific security policies may be individual and assigned for one type of technology or they may be all-inclusive of various technologies in use at the organization.

System-specific security policies are written documents that provide standards or procedures for configuring and maintaining information systems such as time-sheet and expense account systems or information technology equipment such as network firewall devices. System-specific security policies can be grouped as managerial guidance or as technical guidance. Managerial guidance supports the organization’s objectives in the implementation and configuration of information systems and information technology equipment. Technical guidance supports the managerial guidance and provides the details necessary to implement and manage the information systems and information technology equipment. These detailed policies can include access control lists that specify who can access systems, what they can access, when they can access, and where they can access systems. System-specific security policies can also include configuration rules such as firewall rule policy settings and intrusion detection/prevention rules.