A proper implementation process educates, creates support, and integrates the policy into day-to-day operations. Having a standard process approach that ensures that business risks, compliance, and threat vectors are considered in all policy changes is a best practice.

The goal of employee awareness and training is to ensure that individuals have the knowledge and skills needed to implement security policies. The primary objective of a security awareness program is to educate users. Creating awareness should be an ongoing effort that reinforces key security concepts. The awareness component is important because it sets the tone and goals for security policy implementation.

In writing policy, don’t use imprecise language such as “should” or “expected.” Assign clear accountability to specific roles. Specify precisely which resources are covered by the policy. Avoid requiring specific technologies in a policy.

As noted earlier, implementing a security policy is much more than simply writing and publishing a document. In fact, writing and publishing a policy document is but a small part of a larger process. Creating an IT security policy is less about the document and more about the control environment the policy creates. A policy is a means of implementing a control—such as a way to prevent or detect a specific type of security breach. So simply publishing a policy in itself doesn’t prevent or detect a security breach. The policy implementation must be a series of steps that ensure that the policy is put into practice. The following sources can be of help:

• SANS Institute, Building and Implementing an Information Security Policy: https://www.sans.org/reading-room/whitepapers/policyissues/paper/509
• ComputerWorld, 10 Steps to a Successful Security Policy: https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html
• SANS, Information Security Policy—A Development Guide for Large and Small Companies: https://www.sans.org/reading-room/whitepapers/policyissues/paper/1331
• PCI Security Standards Council, Best Practices for Implementing a Security Awareness Program: https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
• United States Postal Service, Developing a Successful Enterprise Information Security Policy: https://www.uspsoig.gov/sites/default/files/document-library-files/2017/IT-WP-17-001_0.pdf