One of my first tasks after leaving NSA for private industry in the early 90s was to write my new company’s information security policy. I’m not sure my previous job as a cryptanalyst left me qualified for this, but I was viewed as the security guy. So, I attacked the task with vim and vigor. That first information security policy I wrote was a thing of beauty. I scoured the Orange Book and other resources to find every security requirement that might help us prevent a security incident.