An interesting article at nwfusion give us The scoop on security policies. There are some good points in the article about keeping the policy short and to the point, although I've tended to find that in larger companies it is a real challenge to convey all the information that you need to, to your userbase in a very short policy. There are other alternatives of course, like splitting the information up over multiple documents, but that can lead to people reading the first one and none of the rest.
One other point to note, is that even more important that the security policy itself is the communication method and the periodic reminders. If you only give someone the policy once and then never revisit it, most people WILL forget whats in it.......
