Written information security policies should have a defined “effective date” and “expiration” or “review” date. This is critical so that individuals and organizations know when they are subject to the rules outlined in the policy, and when they can expect updates. The effective dates within your security policies should match the organization’s written objectives with regard to updating policies. For example, if written policies are to be reviewed at least annually, the effective date and review data should obviously be a year apart. As each policy comes up for review, the document owner (mentioned above) will review the document for possible updates. Once reviewed, the document can again be published with a new effective date and review date.
Version control and effective policy dates are necessary if the organization is going to successfully apply sanctions to individuals who may violate the policy. For example, if you don’t know which version of the Internet Acceptable Use policy restricted the use of personal instant messaging, how can you sanction anyone for violating the policy? Many users who were terminated for violating a company policy have successfully defended themselves by pleading ignorant when the company who fired them had a haphazard set of old, incomplete, and out-of-date policies. A regularly updated set of policies is another indication of management support.
