In this paper we discuss the shaping of a security policy in an Indonesian bank. Theoretically we use a framework grounded in Institutional and Structural theory. It is important to understand the shaping of security policies in organizations since majority of information systems (IS) security research, while acknowledging the importance, has fallen short of a careful review of the social aspects of security policy formulation and implementation. An interpretive case-study research is used to conduct the research. Our unit of analysis is a mature, large Indonesian government-owned commercial bank. The case was chosen because a security breach had just unfolded while the research project was being set up. This allowed us to study how a security policy gets shaped and what lessons there might be from an institutional and a structuration standpoint. Our findings hark back at the importance of good design of systems and proper consideration of social and political aspects in the configuration of security policies. One of the major contributions of the research presented in the paper relates to how institutional theory can be used to demonstrate how institutional forces affect the design and the use of security policies.