Security practitioners have experience building security mechanisms, be they cryptographic protocols, buffer overflow protections, or access control systems, but are far less familiar with designing security policies for these mechanisms to enforce. This talk will cover some of my recent policy work as applied to web browsers, digital rights management, and medical privacy. For web browsers, we analyzed existing security policies for frame navigation and implemented an improved, principled policy, which has been adopted in both Safari 3.1 and Firefox 3. By analyzing DRM systems, we uncovered several anomalies in an industrial license language and applied linear logic to provide a rigorous foundation for improvements to the language. In the privacy arena, we developed a formal language for expressing privacy regulations such as HIPAA, which governs medical privacy.