Effective Security Policy Management – Part 4

4. Targeted User Groups

Not all information security policies are appropriate for every role in the company. Therefore, written information security policy documents should be targeted to specific audiences with the organization. Ideally, these audiences should align with functional user roles within the organization. (See Information Security Roles and Responsibilities Made Easy, by Charles Cresson Wood.)

For example, all users might need to review and acknowledge Internet Acceptable Use policies. However, perhaps only a subset of users would be required to read and acknowledge a Mobile Computing Policy that defines the controls required for working at home or on the road. Employees are already faced with information overload. By simply placing every information security policy on the intranet and asking people to read them, you are really asking no one to read them.

Policy documents targeted at specific roles also facilitates the use of automated policy document management systems that distribute and track which users have read which policy documents. Some of these automated systems allow organizations to target specific documents to individual or multiple groups within a central directory system, and then keep track of the results according to each group.