Policies form the base for all security plans.  A clearly defined policy allows everyone to know what is and is not allowed.  Without a policy it is difficult for users to know what is proper, and it is impossible to correctly configure software and hardware to meet your requirements.  Once a policy is defined we have a reference point to work from to achieve your goals.  A policy is constantly evolving as new technology unveils itself, but by focusing on the concepts, not the specific technologies, a well written policy shouldn't need to be adjusted all the time.

Basic policies should indicate that company equipment and resources should be used only for company related activities, and that programs outside of that realm should not be installed or used. All members of an organization should be taught to inform someone if they believe a security incident has occurred and to report any lost equipment immediately.  This forms a basic response plan that everyone should be familiar with including the primary people to call and what basic information they should try to capture.  Disbursing forms beforehand can decrease the amount of confusion during a security incident.