The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policies must be properly disseminated, understood, and agreed upon.