Perhaps in our company there is such an instruction, but in fact everything is transferred to new employees of the IT department by us (security guards) orally ...

The first point of the document on information security is not to tell anyone about this document ...

Typically, such a document is an annex to the employment contract, and it is not subject to disclosure.
For ordinary employees, this is usually a list of prohibitions - installing pirated software on your computer, installing sharing clients and other products, or generally prohibiting anything from installing, and using only what the IT department has installed.
Accordingly, only the IT department deals with backups, access restrictions, etc.

Most often, security in the IT part is performed by the IT department, sometimes dedicated employees with the appropriate education in information security.
The usual SB is most often former cops / KGB / SBU / their own version, who understand little and poorly in IT, and for the most part in age and rank.
And the policy is usually described by group policies in the domain and settings on the proxy and mail server.
Documents for my experience, I met once. when I got a job in a bank, but to be honest, I was broken off by reading a few dozen A4 sheets of this nonsense - I just signed and gave

and instructions for settings - backups and so on - yes, sometimes they are made, sometimes they are sent to all employees in the form of an order.
But there is only one way to accustom all employees to store all documents on file servers - mapping "my documents" to a network drive, prohibiting recording music / video there by policies on the file server and forcibly closing local disks for recording with taking away admin rights. and a list of software that can be installed on working machines

Or thin clients and rdp/vnc servers.

You correctly write that the information security document is one of the most important documents, because it is at the top of the hierarchy of information security documents.
Ideally, a company should have an IS Concept and an IS Policy. If the company is also the operator of personal data, then according to Federal Law-152, a Policy for the processing [and protection] of personal data should be developed.
Organizational documentation can be logically divided into two parts: organization of protection and provision of protection. In the first, organizational moments are written, in the second - how everything needs to be configured by the admins in order to comply with the plans of the organizers. Do not forget about the assignment of responsibility for each area of ​​work: data destruction, data backup, access to office premises, etc.