Many folks here have PMed me about security policy writing. I figured I'd answer in a public arena so that everyone can benefit.

Here are tw RFCs that are great places to begin your adventure:

Look these over and you should have a good idea of how to begin and how to tighten your policies.

Hoe this helps!