Bayuk (2009) states that Information security policies are a special type of documented business rule to protect valuable data and systems which store and process the information. Within an organization, these written policy documents provide a high -level description of the various controls the organization will use to protect information. The documented information security policy is also a formal declaration of management's intent to protect information, and it is required for compliance with various security and privacy regulations. Organizations that require audits of their internal systems for compliance with various regulations will often use information security policies as the reference for the audit. (Attitude of the Hong Kong Small and Medium Enterprises (SMEs) towards Information Security, Hon Keung YAU)
Last date updated on July, 2014
