Well writen policy using 5Ws of Journalism

The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the luxury to sit down with each reader and explain what each item means and how it impacts the user's daily assignments. Know the audience for whom the policies are being developed. Remember the reading and comprehension level of the average employee. When writing the policy, remember the "5 Ws of Journalism 101":

What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed

Items 5 (when) and 6 (why) are not usually considered part of the policy text. When a policy is in effect it is normally addressed in the transmittal document. When the policy is published, there is a document that goes with the policy that explains why the policy was developed and when it takes effect. Policies should not contain explanations as to why they were developed or a compliance date.

When assessing the policies, procedures, and standards that support the network environment, it is most important that there be some written and published documentation. Look to see what is there. Read the documents and then, during your interviews, ask the interviewees how they interpret the policy [Managing a Network Vulnerability Assessment, Thomas R. Peltier, Justin Peltier and John A. Blackley ]