Implementing the Policy
The final step is to put the security policy into action. Implementation conforms to a variety of different schedules, done in different chronological orders and divided into different stages or phases for rollout. In any case, it consists of two primary elements.
The first element consists of educating users and initiating appropriate changes in corporate culture. The second includes technical installation and configuration. This element might be further divided into changes to the hardware and software with which users directly interface (their own computers) and those with which they do not interact (servers, perimeter defenses). It is only at this point that the selection and configuration of particular security products becomes significant, once they can serve as effective tools for the implementation of existing policy.
"The biggest problem with policy is that people make it too complicated and don't write it in human language," says Emman Ho, vice president of IT Services at A&E Television Networks. "You can make a policy like a phone book, and I guarantee that no one will read every line."
A&E's solution is to target their security policy document at the end user, keeping it short--say, three pages--and emphasizing nontechnical language. Other enterprises find this balance by drafting a number of different documents intended for different audiences.
PayPal uses three separate documents: a policy document that outlines high-level overarching goals and priorities in a short format, a standards document that goes into more detail about rules and expectations, and a procedures document that spells out specific details.
Another key factor to keep in mind throughout the implementation process is the speed with which a particular organization can absorb and internalize change. Just as it would be foolhardy to expect to simultaneously shift every user within an enterprise to new hardware or software, it is counterproductive to attempt to force major changes in organizational and user behavior instantaneously. This should be a gradual process, ideally beginning with the development of some consensus and buy-in early in the planning stages.