1. The overall principles, regulations, requirements, and/or procedures which govern security as expressed by a responsible security authority: Examples: National security policy, Departmental security policy. Note: Responsibility for security may be delegated by Departmental Security Officers to System Managers in accordance with a System Security Policy [CESG]. 2. A set of rules that specify the procedures and mechanisms required to maintain the security of a system, and the security objects and the security subjects under the purview of the policy [ECMATR46]. 3. A set of rules which define and constrain the types of security- relevant activities of entities [ECMA138]. 4. The set of criteria for the provision of security services (see also identity-based and rule-based security policy.) [7498-2]. Note: A complete security policy will necessarily address many concerns which are outside the scope of OSI. 5. See Corporate Security Policy, System Security Policy, Technical Security Policy [ITSEC]. 6. The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information [POSIX.6]. 7. The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information [TCSEC].