"Pick your battles," Anish Bhimani, chief information security officer at JPMorgan Chase & Co., advised other attendees during a panel discussion. He added that instead of having a laundry list of compliance items, companies need to be "crystal clear" on what their security objectives are and spell them out in a policy that workers can easily understand and that is high level enough to remain relevant for an extended period of time.

For instance, JPMorgan Chase has set a relatively short list of "must comply with" requirements that encapsulate the New York-based company's high-level data-protection goals, Bhimani said. It has also implemented a broader set of "should comply with" items that are more along the lines of best practices, he added.

"One of the things to consider is, how many controls are you asking people to comply with? Just focus on the things that matter," Bhimani said. "By definition, policies are mandatory," said Charles Pask, managing director at ITSec Associates Ltd., a consulting firm in Leicester, England. As a result, they should include only items that workers absolutely must comply with, Pask said. Specific security standards and controls should then be implemented as part of an overall risk-assessment program, he added.

Sandy Bacik, corporate security officer at Tekelec, a Morrisville, N.C.-based provider of telecommunications services, said IT security policies should mandate behavior at a high level and need to be kept separate from security standards and guidelines.

For instance, a company could have a corporate policy requiring business units to protect their information assets based on the importance of data, Bacik said. A related guideline could inform business managers about the need for strong access controls, while a standard could specify the use of a particular password approach, she said.