Information Security Policies are special type of documented business rules and high-level statements that provide guidance to staffs who must make present and future decisions dealing with information handling technologies.

Security policy is generally formulated from the input of many members of an organization as well as the standards and norms of the organization's industries. Good security decision-making is based on an organization security policy, which provides the most important and most frequently referenced source of instructions detailing how staffs should protect both data and information system.

A procedure is a method by which a policy can be accomplished; it provides instructions necessary to carry out a policy statement. Procedures may be called “desk-out” operating procedures or work standards.

Being expertised in IT security, HiTRUST assist clients to create new or modify existing policies and procedures to ensure clients' business is using “best practices” for their internal security decision. HiTRUST draws comprehensive information from relevant resources and guideline and tailors that information to clients' organization.