I am currently working in my company's information security team. The management of the company has asked to participate in the review and revision of our current IT security policies. I am a member of the trusted and respected computer security team. Management has already asked me to help review the content of the annual safety training.
Our current range of strategies is very comprehensive and covers topics such as staff security, cloud security, physical security, logical access security, and more. however, only the computer security team and the computer function in general is affected by many of these policies. Examples:
Parties that speak of access administration are probably not relevant to a customer service representative working in a call center.
If you do not work in IT, the requirements for demagnetizing backup media are probably not helpful.
My concern for everyone, regardless of their role, to recognize all policies is that they could pay less attention to policies that really concern them – for example: storage of sensitive data for human resources safeguards or social engineering for a CSR in the call. center. In other words, the amount of reading can deter users or simply click on the strategies to perform the tedious task. and do not recognize the importance of what they read for the company's computer security mission. We are an insurance company and work with sensitive credit card and health information. We must also comply with PCI DSS, SOX 404 and DOI State regulations.
Based on the comments made in my associated question, I am considering discussing with my management that education requirements, such as incident reporting and acceptable uses, remain unchanged, and are considered acceptable use not affected by the changes. In this way, all users get a common basis of security requirements. Some processes such as responding to an incident can only work effectively with the cooperation of the end user via timely reports, so this seems to be a no-brainer.
Is personalizing acknowledgments of the company's security policies based on what is actually relevant to a particular employee's role a good idea?
If so, what can be used to measure the applicability of security strategies when they relate to a given role?