Never release a policy that you can't or won't enforce. Creating policies that people ignore weakens the process.

Build a policy review framework. The review framework is a document that gives status information and a review schedule for each policy.

Good policies are general enough to not need frequent updating. Policies should be unambiguous without being so specific that they lose their relevance with every change to the business operations of the organization.

Avoid referencing specific standards or products in your policies. Instead, use an interoperability framework to call out specific products and standards. Merely reference specific sections of the interoperability framework in the policy. This will ensure that policies don't have to be continually updated as new products and standards are released.

Policies should not specify processes or "best practices." Policies, however, should talk about "what" not "how."

Policies should not contain confidential or proprietary information, because they will be widely distributed. When this is unavoidable, be sure that the policy is properly classified and that chosen classification allows everyone who must see it to have access.

Rather than writing large, ...