InfoSec policies must contribute to the success of the organization, and end users of information systems should be involved in the steps of policy formulation
An organizational level policy that provides detailed and targeted guidance about how to use a shared resource in a secure way, more detailed than the EISP and changes more often
Low level organizational policies that provide both managerial guidance and technical specifications to be used when configuring or maintaining systems
Explains how technology should be used and controlled, and how the organization is indemnified against liability for misuse, begins by introducing the organization's fundamental resource-use philosophy
ISSPs can be created as a number of independent documents, a single comprehensive document, or a modular document that unifies policy creation and administration while maintaining each specific issue's requirements
Similar to a set of standards or procedures that must be followed when dealing with specific systems, can be used for managerial guidance or contain technical specifications
Specifies who can use the system, what authorized users can access, when they can access, where they can access from, and how they can access, and assigns privileges like read, write, execute, delete