ABSTRACT
To the seasoned information security practitioner, asking why information security policies are important may seem like a question with an obvious answer. The question is not so obvious to the end users of the organization, as many of them may feel that if everyone applies common sense, there is no need for them to read and sign off on voluminous sets of policies. Although information security policies are very important, they can easily become shelfware if their development, management, and distribution are not handled appropriately. The security department may have had a large project to develop the information security policies, place them on the Intranet, and then they were “done.” This information becomes very useful during incident investigations, terminations, and lawsuits where the company wants to demonstrate that the employee had clear knowledge of the policy and chose to violate it against the corporate policy.
