Information security policies establish the rules where organizations can direct funding, people, processes, and technology in a retable and secure manner. NIST SP 800-95, Guide to Secure Web Services, defines policy as:
"Statements, rules or assertions that specify the correct or expected behavior of an entity."
Information security policies are developed by examining compliance requirements, obligations under the law, and organization-wide policies and practices. These policies are responsible for establishing rules behind how an organization develops and operates systems utilizing their system's engineering life cycle (SELC) or system's development life cycle (SDLC).