Every company big or small needs to have a Security Policy. A Security Policy governs what a company can or can not do. A security policy is not a single document, its a combination of documents aimed for specific users.
Now when you are designing a IT Governance (read Security Policy), the first rule of thumb is that business needs comes first.
-You also have to be aware that you governance design dont have to be static, it needs to adapt.
-if users are faced with a design that seems to slow or hamper their production, they tend to look for way round which will defeat the purpose.
-your design have to reflect the users in you company at every level up to the management and CEO
-they have to be buy-in buy you management otherwise the design will not be accepted.