In discussions of computer security, the term policy has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities.

The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy.

The term computer security policy is defined as the documentation of computer security decisions, which covers all the types of policy, described above.

In making these decisions, managers face hard choices involving resource allocation, competing objectives, and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can result in policy, with the scope of the policy's applicability varying according to the scope of the manager's authority.

An example of a related Policy, Standard and Procedure:

• Policy - All State of Michigan email mailboxes must be protected by a username/password.
• Standard - The username must follow existing standards and the password must be 8 characters long and have an alpha/numeric combination.
• Procedure – Setting the administrative properties of the mailbox to require a username and password be set. Auditing the passwords for appropriate password complexity.