Your policies need high visibility to be effective. When implementing policies, you can use various methods to spread the word throughout your organization. Use management presentations, videos, panel discussions, guest speakers, road shows, summits, question/answer forums, and newsletters. Introduce computer security policies in a manner that ensures that management’s support is clear, especially where employees feel overwhelmed with policies, directives, guidelines, and procedures.

Remember that the work of building awareness and gaining acceptance of security policies does not start when the framework is published. Its success will be determined by how it is put together and who is involved. Every organization is different, and differences play out in many ways. Organizations vary as to their industry or field, their regulatory requirements, their culture, and their leadership personalities.

All are necessary considerations as you start to develop a framework. In general, you should state core principles in the form of goals upfront. This defines “what” the framework must achieve. These goals are typically nonnegotiable security requirements. First get buy-in on the “what,” and then get others to work together with you on the “how.” You can be more flexible on the “how” than the “what.” Gain ownership from key user groups by offering them choices on how to achieve policy goals. Executives and end users know the business and can usually find ways to integrate security processes while minimizing operational impact.

Formulating viable computer security policies is a challenge and requires communication and understanding of the organizational goals and potential benefits that will be derived from policies. Through a carefully structured approach to policy development, you can achieve a coherent set of policies. Without these, there’s little hope for any successful information security systems.