The purpose of an organizational internet security policy is to decide how an organization is going to protect itself. The policy will generally require two parts: a general policy and specific rules. The general policy sets the overall approach to organizational internet security. The rules define what is and what is not allowed. The rules may be supplemented with procedures and other guidance.