The security policy is produced by senior management, outlining the role security plays within an organization, without going into details like technology or solutions. The security policy outlines the goals and missions how a security program will be set up, will lay out the program goals, assigns responsibilities and describes how enforcement should be carried out. When a policy needs to describe a technology then the policy should be solution independent.
Issue-specific policy
Issue-specific policies identify and define specific areas of concern and state the organization's position. Depending upon the issue and attendant controversy, as well as potential impact, issue-specific policy may come from the head of the organization, the top management official, the Chief Information Officer, or the computer security program manager.
System-specific policy
System-specific policies state the security objectives of a specific system, define how the system should be operated to achieve the security objectives, and specify how the protections and features of the technology will be used to support or enforce the security objectives. A system refers to the entire collection of processes, both automated and manual.