
A Security Policy is a rule or set of rules that govern the acceptable use of an organization’s information and services to a level of acceptable risk and the means for protecting the organization’s information assets. In cyber security specifically, is it a rule or set of rules applied to an information system to provide security services.
Source: CNSSI 4009, NIST SP 800-53 Rev 4, NIST SP 800-130, OASIS SAML Glossary 2.0