The security policy is the definition of what it means to be safe for an organization, system or other entities. For an organization, it addresses constraints on the behavior of its members as well as the constraints imposed on the enemy by mechanisms such as doors, locks, keys and walls. For systems, security policies address the constraints on the functioning and the flow between them, constraints on access by external systems and enemies, including programs and access to the data by people.

If it is important to secure, then it is important to ensure that all security policies enforced by a mechanism that is strong enough. There is an organized methodology and risk assessment strategies to ensure the completeness of security policy and ensure that they are actually enforced. In a complex system, such as system information, the policy can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to just go directly to the sub-policies, which basically rules of operation and issued by top-level policy. Which gives a false sense of security that address some of the operating rules of the overall security definitions when they are not. Since it is very difficult to think clearly with the completeness of the safety, operating rules declared a "sub-policy" without "policy super-" usually turns into a rambling ad-hoc rules that fail to enforce something with completeness. As a result, top-level security policies critical to serious security schemes and sub-policies and operating rules are meaningless without it.