Security risk analysis is described as a process to ensure that the security controls for a system are fully commensurate with its risks. However, within this, it is simply common sense to mandate a baseline... a minimum level of security beneath which the organization must not fall.
This is the major role of security policies - the published and recorded minimum set of controls mandated throughout the enterprise.
Policies and risk analysis should exist side by side, and should complement each other. Consideration should also be given to the wider role of security policies, for example, in relation to security standards, such as ISO17799.
To assist in the task of producing or maintaining a comprehensive set of security policies, we have identified the following specialist portals: