Modern automation systems used in infrastruc-ture (including Supervisory Control and Data Acquisition, or SCADA) have myriad security vulnerabilities. Many of these relate directly to inadequate security administration, which precludes truly effective and sustainable security. Adequate security management mandates a clear administrative struc-ture and enforcement hierarchy. The security policy is the root document, with sections covering purpose, scope, posi-tions, responsibilities, references, revision history, enforce-ment, and exceptions for various subjects relevant for system security. It covers topics including the overall security risk management program, data security, platforms, communica-tions, personnel, configuration management, audit-ing/assessment, computer applications, physical security, and manual operations. This article introduces an effective frame-work for SCADA security policy.