The most effective way to ensure information security policies are understood is to provide regular security awareness training. Training allows employees to actively engage with the material, ask questions, and internalize the importance and specifics of security policies. This approach is more likely to lead to a deeper understanding compared to documenting procedures or including responsibilities in job descriptions, which are more passive methods. Implementing a whistle-blower program does not directly contribute to the understanding of the policies.