This is part of an ongoing series on documentation development.
Do words matter? Of course they do. There are few places where this statement is as true as in documentation. When developing policies and procedures, we must be very clear about the rules. Must and shall mean, as the name implies, that the action is not optional. May means that the action is allowed, but not required. This is an essential difference. Take for instance: sharing passwords. A policy statement should be in place saying something like “users shall not disclose passwords to others.” This clearly dictates that passwords must not be disclosed. May, on the other hand, allows a bit more flexibility. For example, take the statement “users may bring in their own monitors.” In this case, users are allowed, but not required, to use their own monitors.
Read the rest of this post at our new blog site: http://blog.securestate.com/post/2011/05/02/Information-Security-Policies-and-Procedures-Part-7.aspx