This article from the Journal of Accountancy concerning primary ingredients of data security policy includes components such as a review of internal control and an indication of the consequences employees could face for failure to comply with the policy.


http://www.journalofaccountancy.com/Issues/2010/Jun/20092445.htm