This article introduces an effective framework for SCADA security policy. Modern automation systems used in infrastructure (including Supervisory Control and Data Acquisition, or SCADA) have myriad security vulnerabilities. Many of these relate directly to inadequate security administration, which precludes truly effective and sustainable security. Adequate security management mandates a clear administrative structure and enforcement hierarchy. The security policy is the root document, with sections covering purpose, scope, positions, responsibilities, references, revision history, enforcement, and exceptions for various subjects relevant for system security. It covers topics including the overall security risk management program, data security, platforms, communications, personnel, configuration management, auditing/assessment, computer applications, physical security, and manual operations.