Information security education includes many topics, some technical and some managerial. One topic that is central to all of these is that of information security policy. Before policy can become the centerpiece of information security education, a coherent model that can encompass the broad range of the topic is needed. In addition to the essential elements of policy, students also need to be exposed to the best practices for managing information security policy. Once a teaching model for policy is selected, faculty can use lectures, project assignments and lab exercises to reinforce student learning.