Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes and procedures are maintained and used to manage protection of information systems and assets.