Developing A Security Policy

Create a simple, generic policy for your system that your users can readily understand
and follow. It should protect the data you’re safeguarding as well as the privacy
of the users. Some things to consider adding are: who has access to the system
(Can my friend use my account?), who’s allowed to install software on the system,
who owns what data, disaster recovery, and appropriate use of the system.

A generally-accepted security policy starts with the phrase
“ That which is not permitted is prohibited”
This means that unless you grant access to a service for a user, that user shouldn’t
be using that service until you do grant access. Make sure the policies work on your
regular user account. Saying, "Ah, I can’t figure out this permissions problem, I’ll just
do it as root" can lead to security holes that are very obvious, and even ones that
haven’t been exploited yet.
rfc124411 is a document that describes how to create your own network security policy.
rfc128112 is a document that shows an example security policy with detailed descriptions
of each step.
Finally, you might want to look at the COAST policy archive at
ftp://coast.cs.purdue.edu/pub/doc/policy to see what some real-life security
policies look like.