Security policy
Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals
Drives other policies
Acceptable use policy (AUP): Defines acceptable uses of firm’s information resources and computing equipment
Authorization policies: Determine differing levels of user access to information assets
Authorization management systems
Allow each user access only to those portions of system that person is permitted to enter, based on information established by set of access rules, profile