And one more key best practice to add is to ensure these are published on the corporate Intranet where links and the website itself can be shared with all users.  The ISC template resources link provides excellent boilerplate security policies that can be further adapted for corporate needs

The following are several tips and tricks you can use to make sure you move from “no good to great” security policies.

*  Do not fail to add an expiration date to your security policies. This will force you to both review and update them on a regular basis or risk being embarrassed because they are out of date.

Do not ask anyone to memorize your security policies. Spend your time doing something meaningful instead, such as reviewing ways to implement the 20 Security Controls in your company.

*  Do not use your security policy as an attempt to control small and often times personal issues. Instead, make sure your security policy addresses specific risk in your organization. Without a direct mapping to risk, it will be very easy to have too many security policies scattered all over the place.

*  Do not have too many security policies. I recommend you hold up both hands right now and wiggle your fingers as you consider how many security policies you might actually need.

*  Will violation of your security policy eventually lead to the policy violator realizing their opportunity to violate security policy at a different company? It should – Otherwise your document is really a suggestion and not a policy.

*  Do have your security policy stored in one single and easy to find location? It would be a shame to spend all that time and no one ever read your security policies.