You cannot design effective security controls without good security policies. It’s important to create and enforce policies that demonstrate compliance with regulations. This is true of organizations of all types, including business and government. But there is no cookie-cutter approach—each entity will have its own way of implementing and enforcing policies.

Regardless of the information being protected, a security control needs to be designed and implemented to enforce the policy. If a law requires any type of information protection, it also requires proper security controls. This includes physical security controls to protect information in physical form such as paper reports.