Review the three categories of policy that are presented here. Enterprise information security policy (EISP): Developed within the context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts the program policy, which is usually supported and signed by the CIO or the CEO.
Issue-specific security policies (ISSPs): These are sets of rules that define acceptable behavior within a specific organizational resource, such as e-mail or Internet usage.
Systems-specific policies (SysSPs): A merger of technical and managerial intent, SysSPs include both the managerial guidance for the implementation of a technology as well as the technical specifications for its configuration.