Information policy at the enterprise level is invariably an exercise in gaps and inconsistencies. The range of concerns�including security�is broad, the environment tends to be heterogeneous and dispersed, the contextual scope is significant, and the stakeholders are numerous. MITRE ran headlong into this problem as it set about conceiving and implementing a new enterprise IT architecture, with questions increasingly raised regarding what policies the new architecture had to be capable of supporting. The MITRE Information Policy Framework (MIPF) is the mechanism MITRE developed to answer these questions. The MIPF supports systematic, structured analysis and formulation of information policy in five areas: security, privacy, management, stewardship, and sharing. This presentation will discuss the structure and use of the MIPF, with an emphasis on security requirements.