Security policies are mandatory in all organizations. Your users must known what they can or can’t do, when and how. They must describe how security incidents are handled. Security policies can also be used in case of litigation and must avoid all ambiguity!
I found a nice white-paper about this topic: How to write effective policies.
Source: www.infosecalways.com.