• United States



Drafting More Effective Policies

Mar 30, 20102 mins
Data and Information Security

I have been spending much of my time of late reviewing and assessing various security, privacy, communications, human relations, and other policies for various organizations.  A common theme among is that many of these documents lack the fundamentals required for any effective and enforceable policy.  This has led me to the content of this blog entry:  the fundamentals for drafting policies.  While these points may seem self-evident, it is remarkable how seldom we see them in practice.In drafting your next policy or in reviewing your existing policies for potential revision, consider the following points.

  • First and foremost, policies must be written in plain English, understandable by the average employee to whom they are directed.  This is by far the most abused and seldom followed requirement.  We see policies that are extremely complex, reference other policies, and use terminology without clear definitions.  In one instance, an entity’s technology use policy was divided into no less than twenty separate interlocking policies.  The average employee would hardly make the effort to locate and read all the policies, let alone understand them. 
  • The policy must begin with a clear overview as to why the policy is important to the organization, including a statement of support by senior management.  The overview should also tie the overarching goals of management to the individual obligations of the employees.  For example, explaining how information security cannot be achieved without the commitment of every employee.

  • The policy should make clear the potential penalties that may result from an employee’s failure to adhere to its requirements (e.g., suspension of access to system resources, termination, potential civil and criminal liability, etc.).
  • The employee should be required to sign the policy and acknowledge he or she has read it.

  • Finally, the policy should be recirculated on at least an annual basis, with quarterly follow-up on key items.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author