Drafting More Effective Policies

I have been spending much of my time of late reviewing and assessing various security, privacy, communications, human relations, and other policies for various organizations.  A common theme among is that many of these documents lack the fundamentals required for any effective and enforceable policy.  This has led me to the content of this blog entry:  the fundamentals for drafting policies.  While these points may seem self-evident, it is remarkable how seldom we see them in practice.In drafting your next policy or in reviewing your existing policies for potential revision, consider the following points.

• First and foremost, policies must be written in plain English, understandable by the average employee to whom they are directed.  This is by far the most abused and seldom followed requirement.  We see policies that are extremely complex, reference other policies, and use terminology without clear definitions.  In one instance, an entity’s technology use policy was divided into no less than twenty separate interlocking policies.  The average employee would hardly make the effort to locate and read all the policies, let alone understand them. 

• The policy must begin with a clear overview as to why the policy is important to the organization, including a statement of support by senior management.  The overview should also tie the overarching goals of management to the individual obligations of the employees.  For example, explaining how information security cannot be achieved without the commitment of every employee.

• The policy should make clear the potential penalties that may result from an employee’s failure to adhere to its requirements (e.g., suspension of access to system resources, termination, potential civil and criminal liability, etc.).

• The employee should be required to sign the policy and acknowledge he or she has read it.

• Finally, the policy should be recirculated on at least an annual basis, with quarterly follow-up on key items.