The information security team should develop a close relationship with the legal team. They need to understand each other’s processes and priorities. Teams should communicate their roles and responsibilities to one another. This helps them understand the various ways they can help enforce policies.

The information security team should review the current legislation that governs their business. This helps them understand what the law requires and what their legal team recommends.

The legal department should review all new or major changes to policies. The legal department needs to be briefed on how the policies will be enforced. This includes a discussion of both automated and manual controls. If your organization does not have an in-house legal department, then it is advised that you retain outside counsel to review your policies.

Enforcement of policies is based on a risk assessment. All policies should be followed; however, those that mitigate the greatest risk to the business should be targeted first. Excessive enforcement of policies with little or no effect on the business damages credibility.

It’s important to ensure that consequence and enforcement are properly socialized throughout organization. This can be accomplished through both awareness and executive messaging. Information security policy enforcement is primarily a risk management function.

Wherever possible, use automated controls to enforce policies. If the organization is concerned about social networking sites, then block them. If the organization is concerned about personal email, then block those sites. When sites are blocked, an employee must overtly disable or bypass a control to gain access. The overt act of disabling or bypassing the control would be a significant violation of policy. There should be zero tolerance for such acts. However, automated controls must be reviewed from time to time. There are numerous instances of automated controls inadvertently blocking legitimate traffic.

As much as possible, make a clear distinction between home and work life. Be sure that policies are clear about the use of company equipment. This includes clearly stating that there’s no expectation of privacy. Also state that all company equipment can be monitored. Personal devices connected to the network should be prohibited.

Security policies should not be solely based on enforcing laws. Developments in computer technology occur very frequently. With every new product or upgrade, new vulnerabilities are discovered. Often, we are not aware of the vulnerability until it is exploited. When enough exploits occur, laws are sometimes created. Because the legal system is reactionary in nature, it does not have the ability to keep up with exploits. Laws take time to be formulated and approved, and then they must be interpreted and regulated.

The CISO position continues to evolve from a technical management position to one that combines both technical and executive functions. In many organizations, the CISO role reports directly to one or more top leadership roles. The CISO must rely on the organization to enforce policy. The role needs to build relationships and consensus. The enforcement of security policies is about influencing behavior and changing culture. Executive management must set the tone and enforce policy consistently across all lines of business. There must be a consequence for noncompliance. Management must engage in making employees aware of the importance of security policies. There must be escalating levels of disciplines for noncompliance. This includes termination of employees who commit serious violations.