Goal of security policy

To lower the risk of human interaction with information

systems by improving the knowledge of security practices
within the organisation, and to successfully implement
effective security controls without breaking compliance.
Indicators of bad security policies:

🚩 Far too long.

🚩 Far too technical.
🚩 Far too generic.
🚩 Far too boring.
🚩 They don’t target the biggest risks to
the business.
Effective writing
 Make it easy to read
Use sentence case
Only capitalize the first letter of a heading, sentence, nouns, and proper nouns.

Noun
A word that refers to a person, place, thing, event, substance, or quality.

Proper noun
The name of a particular person, place, or object that is spelt with a capital letter.

Use short sentences

Short sentences are easier to read. Use full stops instead of commas.

Use short paragraphs

White space makes a policy easier to read.

Use simple words

They are faster to read.
 Make it easy to read
Use subheadings
People scan documents. Subheadings can be used to summarise a paragraph.

Avoid jargon
The use of jargon will confuse your readers.

Use conjunctions
Connecting words like “and” and “but”. Conjunctions keep people reading.

Use the active voice

Policies are instructions. You are telling them something they need to do.
The analyst will monitor the SEIM for alerts.
The network engineer will configure the firewall, following the instructions in section > secure
configuration. If you can add “by monkeys” at the end, you are in a passive voice.

Use Grammarly or Hemingway

These are free tools that can help to improve the clarity of your writing.
 Sound more human
Tone of voice
Vary your tone of voice for your audience. A high-level policy will be read by more people. A friendlier
tone will be required for the non-technical people of the organisation.

Write as you’d speak

The reader will follow along as if they were speaking. The document will flow better.

Vary sentence length

Using too many short sentences can sound robotic. Varying the length will keep it interesting, and sound
more human.

Use the passive voice

When something might be taken as offensive, use the passive voice. It will not single out members of
your audience. Remember, if you can write “by monkeys” at the end, you are in a passive voice.
 Avoid the use of
Employees
You have to address your co-workers as something, “personnel” or “staff” are better alternatives.

Users
People don’t like to be called users.

You/your
There are better ways of speaking to the audience.
If you need to report a phishing email, contact the security team.
Phishing emails must be reported to the security team.

Contractions
Using mustn’t or shouldn’t informalize the instruction and make it sound like a suggestion.
Clear, direct and as an instruction
Readership
 Diverse audiences
Remove technical jargon & acronyms
Include a definitions section
Is English their native language?
Translations
Reading age
Legal terms and language
 Thank you!

https://www.cybsafe.com/blog/how-to-write-like-cybsafe/