I am working on some ways to keep my cybersecurity policy as simple as I can for employees. Our full policy includes the normal items that our back end technical team handles and is responsible for. (AV deployment/logging/patching/etc...) The average employee isn't responsible for most of it. I created a "Standard Employee" version of the policy with the things I felt were relevant to all employees. Everything was pulled out of the full policy, word for word. This cut down the length of the document by about 90%.
What are best practices regarding this? Should I have 2 separate policies? Should the employee version not be a "policy" and just a training guide or help document? Should all employees sign off on the full policy or just the subset policy?
As you can see I have a few different ways to do this, so I am wondering what others have done. Any help is appreciated!
I can't be sure without seeing what you have, but it seems to me the "full" policy should probably be broken up into smaller policies, with one ring to serve them all, as it were, referencing the "big ones" (Acceptable Use, BYOD, etc. ) Then people sign off on the policies they are affected by. Asking people to sign off on an omnibus document, most of which has nothing to do with them, is an invitation to robo signing on their part. It is also easier when you update policies for whatever reason, to send them out and ask that they be reread, if it is a few pages, rather than 100 pager, and you can target your audience. For example, only employees with BYOD devices get updates on the BYOD policies. If we want to have employees take security seriously, we have to put forth some effort to help them, and making policies readable and modular seems like a pretty small step.