I have, over recent months, been developing a suite of security polices for my organisation. To date the high level Corporate Security Policy and the Acceptable Use Policy hav been disseminated to all staff.

However, with regards to the other more specific policies e.g. Data Back-Up Policy, Portable Devices Security Policy etc., I would be keen to know what members think is the best way to roll these polices out to users, as I really do not want to suddenly "dump" another 8 or 9 policies onto staff, as it would make them totally ineffective.

I would welcome any view, perhaps from personal experience.  

Mike,

In my experience, one of the chief complaints I here about security policies (and indeed most organizational policies) is that they don't fit the industry, are created in a silo oblivious to the organizational & process touch-points that exist (the presence of converged or partially converged risk management processes), are inadequate or incomplete in terms of content, or simply do not integrate well with the processes & practices used by the employees "on the ground".  Presumably during the course of policy development, you & your team took care to ensure that the policies were rationalized -- that is, aligned to one or more industry/regulatory frameworks, appropriate for the line of business you operate, and functional from the individual employee's perspective (user friendly). 

For my part, I've found publication of specific topical policies to be most effective when it is combined with a converted effort to provide awareness & training for specific groups with the overall tone being one in which you are offering your assistance to the group in helping them "do the right thing".  Very often the "new" policies can be presented as "new & improved" (in the spirit of advise & assist) as opposed to simply disseminating an additional list of policies & controls (a task made much easier if the policies were drafted from the start with a  "how to" mindset as opposed to a laundry list of do's & don'ts).  Using that approach, you can take the opportunity to build awareness around the entire set of policies applicable to a specific area or function rather than just addressing the new policies while simultaneously marketing the information security function as a process-improvement oriented organization rather than simply compliance cops.  I'm in the process of doing that right now and our focus during the first quarter after completion of the development of policies & standards is focused on our developers [general policy awareness plus secure system build, test, & release-to-production processes] and our procurement/contracts staff [general awareness plus security due diligence (from our customer's standpoint) and service provider oversight].

In short, I believe two of the chief success factors is the correct tone/positioning of the controls and the ability to incorporate the opportunity into a broader training & awareness campaign focused on specifically targeted groups.  Hope that helps generate some ideas for you.

All the best.

Randy