Gartner - Five Golden Rules for Creating Effective Security Policy
Security policies that are developed by the security team in isolation alienate the rest of the organization and lead to high levels of resistance and counterproductivity.
A rigid policy unnecessarily removes your ability to consider multiple options to hard or complex problems.
Badly worded policies can introduce problems such as inconsistent policy positions, the inability to ensure compliance, unacceptably high-risk profiles or unnecessarily high costs.
Security policies that are not adapted to changes in the business environment or the external environment will become obsolete and restrict business development.
Develop and maintain your policy as a process. Engage heavily with stakeholders who are affected by the policy because this will build support and improve policy quality and pragmatism.
Ensure that your policy is flexible enough to support the array of risk appetites that may exist within your organization.
Have your policy drafted by someone with competence in policy development — the rules are only as strong as the text that expresses them.
Make sure that your policy is pragmatic by testing it out.