When it comes to managing security policy, name your poison: do you keep it via wiki, knowledge management system, or CMS? Or, is that all important document still paper-based this many years into the digital evolution?
A related question: How do you render your policy operational? By this I mean, how do you motivate employees with all those theoretical security ideas and make sane, safe practice something that’s part of the daily routine? From what experts have told me, a digital security policy can be a first step of a bigger process (including training) in getting this important work done.
