Semantics!!! If you have a very thorough IT Security Policy, why oh why do you have to then either duplicate it or mash it into your overall GLBA policy?
Okay - what we did - our GLBA program is very broad. In that program, we refer to specific department policies and procedures to cover all the different aspects of Information Security. And finally, at the end of our Information Security Program and Policy, we have an Appendix. In the Appendix, we have a Reference Table. The Reference Table lists policies and procedures and shows what area of Information Security is addressed in that policy or procedure, what department is responsible for that policy or procedure, and the last time it was updated.
One of my LEAST FAVORITE activities is re-inventing the wheel. Other one is - duplicating efforts.