RE: How to distribute corporate policies

["Dickman, Jeff" <Jeff.Dickman () sunmed com>]

We currently use three steps in releasing policies to our company.

1.  Publish to Intranet
2.  e-mail distribution to applicable employees
3.  physical (and documented) training as necessary for applicable
employees

The degree of notification depends on how the policy applies to the
employees.  

For example some policies, such as a Firewall policy, employees have no
input into this and cannot even change the settings on their software
firewalls.  They would not even receive notification of this policy.
However, IT does have the capability to control this, so all of IT would
receive this policy via email and the Network Admins who control the
firewall and enterprise management software would sit through a training
to ensure they understand the policy. 

Jeff Dickman
GIAC Certified ISO-17799 Specialist 

NOTE: The views expressed in this message are my own and not necessarily
the views of my employer.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Nick Duda
Sent: Thursday, October 12, 2006 9:59 AM
To: security-basics () securityfocus com
Subject: How to distribute corporate policies


I'm curious as to how other corporations distribute its InfoSec policies
to its employees. A task I will be faced with soon is distributing
(making known) corporate policies such as Acceptable Use, Password,
AntiVirus....etc. For them to abide by policy they need to know about
them. Should they also sign them? That would be a lot of paper, or
should they just be placed on an intranet type of setup to view.

If that's the case (intranet) what are methods of announcing them and
future new policies as they are written, email? I'm looking for opinions
and how others do this.
Regards,
Nick



---------------------
Confidentiality note
The information in this email and any attachment may contain
confidential and proprietary information of VistaPrint and/or its
affiliates and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, you are hereby notified that any
review, reliance or distribution by others or forwarding without express
permission is strictly prohibited and may cause liability. In case you
have received this message due to an error in transmission, please
notify the sender immediately and delete this email and any attachment
from your system.
---------------------

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------