A good security policy

• It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods.
• It must be enforcible with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
• It must clearly define the areas of responsibility for the users, administrators, and management.