Which document describes an organization’s rules for protecting its assets?

A security policy is a critical document that outlines an organization's rules and guidelines for protecting its assets, including data, hardware, software, and personnel. It serves as a fundamental framework that defines how security measures are to be implemented and enforced within the organization.

The security policy typically includes the objectives of security measures, roles and responsibilities of personnel, the classification of data and information, acceptable use policies, and procedures for handling security incidents. By establishing clear directives, the security policy helps guide employees' behavior regarding security and ensures that everyone within the organization understands their responsibilities in maintaining security standards.

Moreover, a well-formulated security policy is essential for compliance with various legal and regulatory requirements. It provides a basis for risk management and helps in aligning the security program with the organization's overall business goals. This foundational nature is what distinguishes the security policy from other documents like a security framework, incident response plan, or compliance report, which serve more specialized or specific purposes.