Research Your Security Requirements
As a first step in planning your security policies, try to have answers for the following types of questions:
What documents do you want to protect?
What code do you want to control the execution of?
Are there any natural categories you can define based on business function (for example, marketing, sales, engineering)?
What is the level of risk posed by your users? Are your applications used only by trusted, internal people or are they open to a wider audience?
How sensitive is the data you are protecting?
This list is not necessarily comprehensive, but it will get you started thinking about your security policy.