Back in the year 2000 Scott Culp published a paper outlining the 10 Immutable Laws of Security. I've restated them here to be concise but strongly encourage you to read the original article as it develops each law to discuss each in turn.
If you're new to information security and would like to put everything in context then Scott's paper will help. In addition remember that information security is all about risk measurement, mitigation together with policy, process and people - security policy must support the requirements of the business whilst mitigating the risks to a level that the company are comfortable with.
Policy and processes must be constantly reviewed and updated to ensure compliance with the requirements and operation of the business. People outside the security team must be involved with and buy into the security of information otherwise they are likely to take shortcuts.
Security Policy must be realistic - users can be encouraged to comply with reasonable security policy and associated guidelines - if they think "the policy's stupid" then they are far less likely to follow it. Security policies must "have teeth" to make it clear to users that failure to comply will result in consequences.
Here are the 10 Immutable Laws of Security: