The following topics are not organized in priority order; they are instead clustered by the type of communication involved.  Consider this list to be a menu from which appropriate activities may be selected.  The policy writer should not select just one or two of the following methods, but ten or twenty of them.  Repetition of information security policy ideas is essential; repetition impresses users and other audiences with the importance that management places on information security.
 

In-Person
Provide special classroom-style training courses at convenient locations every year or so (for users, systems administrators, remote site information security coordinators, new hires, and other audiences  identified  in a needs analysis.

Deliver policy ideas and other material at new employee orientation. Send influential information systems staff to off-site information security conferences. Hold video conferences where people from various sites discuss security Stage vulnerability demonstrations (aka tiger-team attacks or penetration attacks).
 

Conduct risk assessments, especially when interviewing and other methods are used to engage staff in the Process:

• Give small prizes like free lunches to exemplary staff
• Conduct EDP audits, actually checking the extent to which compliance exists
• Initiate an unauthorized software duplication inventory project where personal computers are checked for  Illegal software
• Integrate security content with other face-to-face computer training materials
• Establish and promote the existence of a management information security oversight committee
• Establish a committee of systems administrators and other first-line staff who must deal with information security
• Start disciplining staff for violations of information security policies, and let the reasons why disciplinary actions were used be known to others
• Initiate strategic planning, new product development, and other initiatives which see information and information systems as a key to future competitive advantage
• Prevent the use of certain new and desired system services (such as Internet access) until certain security projects (like a firewall) have been completed
• Institute a new or more serious change control approval process, such as the prohibition against the establishment of new phone lines without first getting the information security manager’s approval; with the classic approach, an application does not move into production until adequate controls are installed
• Declare an amnesty day for information security violators who wish to obtain technical or other assistance so that they may now be in compliance
• Adopt an annual information security day on which special educational materials are presented and special events take place
• Initiate a high-profile investigation into an information security breach and engage a large number of staff members in the investigation
• Schedule special top management briefings where the strategic issues regarding changes in corporate culture to support information security are addressed
• Conduct an internal survey of mid- and lower-level managers asking them what they think should be done to improve information security (thereby getting them to think about something that they probably don’t think about much)
  In Writing
   

Add information security questions to written performance reviews:

• Require a signature on personal responsibility statement (indicates that employees consider compliance with policies to be a condition of continued employment)
• Require a signature on a form verifying that a worker has received a copy of, read, and understood the information security manual
• Require all employees to annually sign a statement saying they have read and understood the information security policy manual
• Require users to sign a security compliance statement before they get user-IDs
• Write security articles for in-house newspapers, newsletters, and magazines
• Issue written policy statements, procedures, and technical standards
• Issue pamphlets or brochures to end users describing a code of conduct
• Issue top management memos reminding staff about security
• Distribute relevant clippings from newspapers and technical magazines
• Hang posters and signs to remind people (some also use stickers and decals)
• Make up special labels for disks, tape reels, etc. indicating sensitivity, handling instructions, ownership, and the like
• Post notices on both paper and electronic bulletin boards
• Insert notices in pay-check envelopes, air flight ticket envelopes, etc.
• Integrate security ideas with systems development process documentation
• Issue information security responsibility organizational design memos
• Prepare an information security architecture or otherwise integrate security into the organization’s technology plans
• Issue an information security manual containing policies, contact persons, and a list of approved in-house products
• Write detailed back-up instructions and insist that staff comply
• Develop and test a contingency plan to deal with information
  system emergencies and disasters
• Require that information security risk acceptance forms be signed by all managers who are in charge of units which are not in compliance and which don’t intend in the near future to come into compliance
• Prepare non-disclosure agreements and educate staff when they should be used
• Prepare non-complete agreements and educate staff when they should be used
• Prepare notices to be given to all people who come into contact with trade secrets notifying them that certain information is a trade secret and that it must be handled according to special security rules (policies)
   

On Systems
Add security instructions to application program and system utility help-screens:

• Purchase computer based training (CBT) software that runs on personal computers and require staff to go through it; this should ideally automatically reporting back to an information security officer’s PC just how many workers have completed the training
• Before users gain access to certain applications or systems facilities, force them to first go through a brief on-line training program
• Prepare a personal computer security utility software disk including encryption routines, a password access control utility, a disk scrub (zeroization) utility, and a self-assessment questionnaire
• Employ written or automated questionnaires to gauge the (self-assessed) level of compliance
• Use special software to check security parameters, alerting security staff that problems exist (O/S installed incorrectly, passwords easily guessed, etc.); this is sometimes called vulnerability identification software
• Set-up an in-house intranet server and post all information security documentation to that server (including forms)
• Establish web site blocking software at the firewall to control the sites that staff visit and then issue a memo explaining the new system and why it has been adopted
• Require that all portable personal computers used for corporate business employ an access control software package including a boot password and screen blanker
• Adopt a commercial encryption product as an in-house standard and internally publicize the ways that this will assist the organization with a move towards implementing PKI (public key infrastructure)
• Establish logging systems that detect security violations as well as a formal process for (as needed) notifying users and their managers
• Change the log-on banner to prohibit electronic trespassing, state that the system facilities are for business use only, and that all user activity is subject to monitoring
• Change the initial invocation banners for specific applications (including e-mail) to provide application-specific security policies and/or other security instructions
• Install regularly changing on-screen reminders, such as those which show at log-in time
• Require users to click on a button indicating their agreement to comply with all information security polices at the time they log-in to corporate information systems or networks
• Place a notice on log-in screens (perhaps at a firewall or dial-up modem pool) that says users should proceed no further unless they have reviewed and understand Corporate’s information security policy
• Use software agents that remind staff to perform certain security activities such as regularly back-up their systems
• Give all systems administrators the email address of the Computer Emergency Response Team (CERT) at

o Carnegie-Mellon University and get them to sign-up for free notices about vulnerabilities
 

On Other Things
Write information security messages on coffee mugs, mouse pads, glass coasters, and other trinkets:

• Prepare video tapes that can be distributed to all remote locations (most often splicing material from previously-prepared videos)
• Establish a hot-line with a message machine where information security problems can be reported (perhaps anonymously)
• Cycle awareness materials on kiosks with built-in personal computers, or on closed-circuit TVs in staff-only areas like a lunch-room