The document outlines a model for developing and implementing an effective information security policy. It discusses the steps involved in formulation, implementation, and enforcement of such a policy. These include identifying threats, assessing risks, developing policy statements, gaining management support, educating employees, and periodically reviewing the policy. The goal is to develop a policy that addresses an organization's risks and gains organization-wide compliance.