In short, a security architecture policy is a formal statement of the rules that govern an organization's security architecture and the roles that have access and responsibility in maintaining its information and technology.

These policies aren't one-size-fits-all and are most effective when they're custom-tailored for each organization. Security architecture policy comes from assessing the entire environment to determine applicable risks and vulnerabilities as well as what countermeasures should be taken in order to mitigate and contain these risks.

It's essential that enterprise security architecture policy be endorsed and enforced starting at the top of the organization and moving down through every person who interacts with the environment. This includes non-employees, as well as those who work for the organization. In order to help everyone adhere to the policies that have been put forth, the security architecture team will develop a set of security architecture standards.