Many folks here have PMed me about security policy writing. I figured I'd answer in a public arena so that everyone can benefit.
Here are tw RFCs that are great places to begin your adventure:
Look these over and you should have a good idea of how to begin and how to tighten your policies.
Hoe this helps!