Gladly enough most people have implemented information security in one way or another. Less common is the actual number of companies that have a clear documented definition of (information) security.
If the people in your company are to familiar with at least the basic principles of information security, then they should be able to find (and understand) them. This is utterly important to make sure that everyone is aligned on what security is. For some people security as simple as just installing an anti-virus scanner, while a dedicated security professional might speak about the whole process of classifying data, implementing security controls and having proper risk assessment methods in place. The main goal is aligning people and prevent a false sense of security as much as possible.
One common practice to make security visible to your employees is by publishing a link on the intranet pages of your company. This link should bring one to a dedicated security program page, where definitions, contact persons, standards/guidelines and general tips can be found. Experience learns us however that most people are not interested in the subject, they simply want to do their job. Security is often considered as a burden, something on top of their actual work. So whatever these pages look like, make them user friendly and measure both the accessibility and how often the pages are visited.
To make sure people understand the basic definition of information security in your company, create an annually training for all people who are dealing with sensitive information on a daily basis. Describing the definition itself is a start, testing the understanding is a nice follow-up to determine the effectiveness.
Security metric tips:
- Measure the amount of visits on your security portal
- Measure how much people (or %) have the definition correct in the annual security training.