Update policy documentation to use plain language

[frangrit]

Proposed changes

• Explain acronyms on first use

• Use simple words and terms when possible

• Change to active voice where appropriate

• Include or link to instructions for for software set-ups and settings changes

• Create a new branch

• Create a PR with the handbook changes and link it to this issue.

• Review the PR with the security team

[q0rban]

I wonder if there's a "plain language" automation we could add, so it could fail a PR if things get over a certain grade reading level or something.

[q0rban]

Looks like syllable has an automated-readability formula.

[frangrit]

That's fun. It'll be tricky, though, because by nature a security policy is going to have a lot of big words. This will probably cause us fail a readability test—but the big words might be necessary. It could be a good first step? Would require some fine-tuning.

[frangrit]

So for stuff like the quote below, I wonder whether the language is intended to be formal for legal reasons, or if it can be made a bit more friendly.

As such, all employees must ensure they adhere to the guidelines in this policy at all times. Should any employee be unclear on the policy or how it impacts their role they should speak to their manager or IT security officer.

Friendly version:

All employees must adhere to the guidelines in this policy at all times. If you are unclear on the policy or how it impacts your role, you should speak to your manager or someone on the security team.

[deviantintegral]

The original policy was written using https://www.iso.org/isoiec-27001-information-security.html as a reference, so much of the terminology comes from there. While this policy is used for employees, it is also given to clients who usually ask for it. So while we'll want to be careful about some of the terminology, we certainly can remove or simplify the verbose language.