Here is the executive summary:
This paper lays out a common-sense approach to writing corporate security policies that makes them easier to draft, maintain, and enforce. Our "question and answer" approach requires no outside consultants. Instead, you can use your in-house knowledge and resources to yield a brief, usable, and -- most importantly -- understandable policy document, in a reasonable amount of time. To help you generate such a policy, this paper clears away some misconceptions about the purpose of network security; details the process of writing the policy; then explains how to keep refining the drafted policy.
It is aimed at small- to medium-sized enterprises. And I just realized, it says, "requires no outside consultants." Steve Fallin, my collaborator, must have snuck that by me.