Information security policy is essential to the success of any information security program because it is the primary process used by organizations to influence the performance of personnel in ways that enhance the information security of the organization’s information assets. Whereas computer security can be thought of as the processes and techniques of securing IT hardware, software and data (including networks), information security is a broader concept. The processes of information security are concerned with the protection of the confidentiality, integrity and availability of information within systems comprising hardware, software, networks, data, procedures and personnel. As organizations change through evolution of practices and hiring of new personnel for growth or replacement policy emerges as the mechanism whereby an organization defines what is to be secured and establishes what to secure, why it needs to be secured and perhaps how to achieve the desired levels of security.. Without sound policy as a foundation an organization is less likely to be successful in its mission to protect information assets.
Mattord, Herbert J. and Whitman, Michael E., "Improving Information Security Through Policy Implementation" (2004). SAIS 2004 Proceedings. 41.