Security Policy FAQs Do formal information security policies exist? How will they be distributed? Is it possible for legal counsel to be present to ensure advice given is consistent for criminal activity and law enforcement issues (e.g. federal communications)? Are there plans to communicate new policies to agencies? Will policy developments/dissemination be filtered down to agency chief information officers (CIOs)? Will there be a regular forum for agency CIOs to attend and communicate with OCTO on information technology (IT) issues? Do you contact the agency director or the IT manager when there is a problem or breach of policy? What if policies we already have in place are more secure than these policies? Will there be a formal orientation to go over information security policies?