Request for Comment 2196, Site Security Handbook, defines a security policy as "a formal statement of rules by which people who are given access to an organization's technology and information assets must abide."

For help in developing a security policy, refer to RFCs 2196 and 2504, which are available on the Web at www.ietf.org.

Your policy is a living document; update it to reflect changes and review it at least every 3 years, even if there are no changes.