Defining acceptable and unacceptable activities at the resource level to create a security policy.
Your security infrastructure is the implementation of your security policies at the operations level. It should include multiple levels of defense and varying degrees of protection as determined by each system's classification. Your security implementation should specify both acceptable (permitted) and unacceptable (forbidden) activity at the resource level.

An example of acceptable activities for a corporate Web site is shown in the table below.

The above suggestions for acceptability might not apply to all companies.
Acceptable activities are best used when applying security measures to an intranet site rather than an Internet site.
The SC - Security Magazine Web site is an excellent resource when first preparing to create a security policy.

Regularly define and list unacceptable activity. This might take some time and require frequent updates, but such repetition can also create an effective policy.
By listing specific activities, you can make sure that they are specifically accounted for in your protection mechanisms, and that your users know the policies.

Your security policy should include

1. Itemized hardware and software and security requirements
2. Physical security
3. Procedures for system failure
4. Procedures for handling system breaches
5. Policies for users and system administrators
6. Requirements for auditing
7. Administrative responsibilities for securing specific systems

Apply your security policy as consistently as possible by

1. Categorizing and documenting resources
2. Defining and publishing your security policy
3. Secure each resource and service
4. Log, test, and evaluate all systems
5. Keep current and update your policy

The link below discusses the steps and guidelines involved in creating a security policy.
Creating Security Policy