There are obvious differences between government policy and organizational policy, but when it comes to crafting information security policies, there are several elements that apply to both sides. Here are some of them.