Most sophisticated businesses have at least some form of a security policy for their organizations. But all too often, those policies are inadequate, fail to comply with regulatory requirements and are profoundly complex and difficult for the average employee to understand. The focus should be on crafting a document that can be easily understood by someone who is not a security professional. This will increase the likelihood that security policies will actually provide the protection they are designed to provide. The drafting team should be comprised of information security experts, HR professionals, legal and other subject-matter experts.”]
Source: https://www.csoonline.com/article/3269330/doing-security-policies-right.html