A formal document that defines an organization approach to managing and protecting its information assets, establishing rules and procedures for security.