I like the direction you are going with this, and I wish you success, but let me share some personal experiences.
Whenever I've tried to get feedback from general employees about policies it has been difficult, to say it mildly. Most people don't care about policies or procedures unless it prevents them from doing work, and they have no idea what a good policy is. You might have more success writing a draft policy and then posting it for review. Even better would be to get each stakeholder in a room and ask them individually about their wants and requirements and drafting a policy from that. As has been said, don't refer to employees as "users"; I usually use "people" or "employees". A proper security policy includes productivity in it's assessment. After all, a computer that is turned off is "secure" but useless; productivity should be the primary driver behind your security policies. For example, do you really need anti-virus if the amount of productivity lost from enforcing it's use is more than the amount lost from an outbreak? I would avoid telling people what your motivations are: "I don't want to be the bad guy", how things are or are not: "this is not a democracy", and such. It lengthens the message, giving you a TL;DR situation, and is not really relevant to the process. This information should be available, but it could detract from your primary message. You probably want to make sure your policy process includes some kind of feedback process; so if people have issues with the policy after it's been around for a while they can issue a complaint or suggestion. Policies should be living documents. You may even want to start with a full policy and then solicit feedback, but you still won't get a lot until it starts to affect the way people work. I often tell people "if you wouldn't want it to show up in a court room, don't do it at work" and "anything on your work computer belongs to the company, do you really want to give that away?" with regards to professional behavior and personal material, with mixed success. But at least they know the risk. On Fri, May 21, 2010 at 6:38 AM, Edward Ned Harvey <lop...@nedharvey.com> wrote: > For the moment, I am not asking you what you think is good policy. > > > > For the moment, I am only asking for feedback on my intended style, to > introduce policy in an organization that formerly had none. > > > > I’m looking for perspective outside my own brain and eyeballs. Please > imagine you are a user, in a company with no policy. You probably keep your > password secret, at least most of the time, because you probably think that > makes sense. But not everyone does. You probably only pirate tiny little > softwares, like winzip, which you’re easily able to use without getting > caught. But somebody might be pirating big stuff like autocad. And so on. > There’s probably no porn, but who knows... You get the idea. In other > words, everybody is free to simply make all their own choices. > > > > As soon as any new rules are introduced, I would anticipate, users will > object and feel restricted. Nobody likes giving up freedom they already > had. So my goal is to introduce new policy in such a way that users feel > willingly compliant. Hopefully even the extremists will be willingly > compliant, but if not, they’re going to have to take it anyway. > > > > So my strategy is this: I created a mailing list, similar to the one you’re > reading now. I invited everyone to join it, with the following invitation: > > (Actually, I’ll post the invitation in a separate email. I think it’s more > effective that way.) > > _______________________________________________ > Discuss mailing list > Discuss@lopsa.org > http://lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > > -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
