This has come up recently where I work. There has been little guidance on computer/communications security. New hires will be made aware of policy and we are set to train the current employees within the next month.
I think the biggest aspects of security is making sure that personnel understand why certain protocols are being put into place and enforced. It is easier for people to comply with rules that they have an understanding on.
There are no truly unique or particular provisions in what we are trying to accomplish. We are, however, trying to combine these efforts with proper business practices and IT usage. Examples being, do not save movies on your company laptop, do not download pirated music, etc. Many of these things should go without saying, but if you can show a correlation between streaming video and a slow internet connect for the neighbor, people seem to listen a little better.
The biggest step in finalizing full implementation of policy is enforcement. One can write beautifully articulated rules that hit at finite points or give a step by step remedial action plan, but unless management is going to take the corrective action needed to fix discrepancies, all of these actions serve only a litigious purpose.
Sorry to drone on.
New employees receive a Computer User Policy which has a security section. This must be read and signed. Any questions regarding the policy are discussed with an I.T. staffer.
We also have “university days” which is a company wide education session, IT and security is covered in length. These days are mandatory attendance days; those with valid excuse receive private instruction.
We have several “automated” security features/protocols that essentially take care of everything else. All remove-able storage for example is blocked, web-filtering is active, e-mail security is strict.
Although some may view our policies as lenient, they cover the bases thoroughly and we’ve not had a problem yet.
Hope this helps!