It is important because organizations’ policies in some ways reflect the underlying culture and values. Modern organizations instill performance and cultural values such as mutual trust and confidence as an integrative mechanism (Fairholm & Fairholm, 2008: pp.103-104) rather than exercising sheer authority and control (Masters, 2005: p. 271). Mayo Foundation (referred to as Mayo in rest of paper) outlines a guidance oriented policy. In contrast to Mayo, Beth Israel Deaconess (referred to as Beth Israel in rest of paper) has a strongly authoritative tone in outlining its policy with strong worded phrases such as “Users have no expectation of personal privacy of any kind related to their use” compared with “contents will not be monitored, observed, viewed, displayed or reproduced in any form by anyone other than the sender or recipient unless specifically authorized by an officer” in Mayo for the same purpose. Georgetown University (referred to as Georgetown in rest of paper), on the other hand, presents a matter-of-factly and exhaustive policy covering several aspects of security separately. Amongst the three policies, Mayo was found to be the most well structured and easier to follow with cross referencing links leading to further details, such as local implementations or human resource policies, for specific areas where needed.
Some of the common themes followed in each policy are confidentiality, integrity and availability of information. These themes are also recognized by NIST as foundations for an information security policy (Ross et al, 2007: p. 4). At a specific level, prudent use of resources, data access control and physical security are found common in all three policies. While these themes are covered in each document, the way they are implemented and enforced is different. For example, in terms of confidentiality, Mayo clearly and concisely describes how information is to be accessible to authorized personnel at authorized