A Security Policy defines what is permitted and what is denied on a system. There are two basic philosophies behind any security policy:
Generally, a site that is more paranoid (concerned) about security will take the first option. A policy will be in place which details exactly what operations are allowed on a system. Any operation that is not detailed in this policy document will be considered illegal on the system. As you can imagine, this lends itself well to a military mindset, and these types of policy are rare in civilian establishments.
More in tune with the spirit of computing is the second philosophy. Historically, computer users have tried to use a machine's potential to its fullest, even if this meant bending the rules slightly. Anything was acceptable as long as the job got done in the end of the day, nobody got hurt and everyone had fun in the process.
Unfortunately, this philosophy does not work well in today's computing environments. Users have not come to a system learning to respect other users' privacy. The competitive spirit tends to cloud over the ethical issues involved in meddling with another user's files. Indeed, outright sabotage may be a norm in some environments where competition for survival has gone to the extreme.
Most users will behave according to a set of "societal" rules. These rules encourage them to respect each other's privacy and work environments. Such a population of users has a working alliance based on trust, and trust is easy to subvert. A population of trusting users is easily invaded by a malicious user, intent on misusing any system in his or her path.
In both these examples, a well known, documented, and enforced set of rules would maintain every user's privacy and integrity. The rules must be enforcable, because there is no point in making rules that cannot be enforced, and be seen to be enforced. As someone once said:
justice must be done, and it must be seen to be done
A computer system can be considered as a set of resources
which are available for use by authorized users. A paper by