Effective policies: Clear and unambiguous, enforceable (with consequences), appropriate to audience, exception process defined, regular review schedule, management support, communicated and acknowledged by all staff.
Policies that employees don't know about or can't comply with don't improve security. Write policies in plain language. Annual acknowledgment creates accountability. Policies must be enforced consistently — selective enforcement breeds resentment and non-compliance.