The University of SydneyPage 26Information Security Policy–Program-level Policies•Institutionalisesthe IS program•Establishes purpose and objectives of the program•Defines structure of the program•Defines roles and responsibilities in the structure•Defines scope of the program–Program-framework Policies –How?•Support implementation of the program•Sets the contexts for IT decisions to be made•Defines practices, standards & guidelines •Defines framework for major IS security initiatives (such as business continuity, Data Centre security, Application development, etc.)