Creation of policies that outline the expectations for the security of an organization's information systems.