When implementing a plan for IT security policy compliance monitoring, you can use several different best practices. The following list shows some of these:

• Start with a security policy—The security policy acts as the road map. This is a written document, not just some ideas in someone’s head. Without the written document, the actual security policy becomes a moving target, and monitoring for compliance is challenging if not impossible.
• Create a baseline based on the security policy—Use images whenever possible to deploy new operating systems. These images will ensure that systems start in a secure state. They also accelerate deployments, save money, and increase availability.
• Track and update regulatory and compliance rule changes—Formally track regulatory and rule changes as a routine. Map changes to these rules to policies and configurations controls. Then update security policies and technology as needed.
• Audit systems regularly—After the baseline is deployed, regularly check the systems. Ensure that the security settings that have been configured stay configured. Well-meaning administrators can change settings. Malware can also modify settings. However, auditing will catch the modifications.
• Automate checks as much as possible—Use tools and scripts to check systems. Some tools are free. Other tools cost money, but all are better than doing everything manually. They reduce the amount of time necessary and increase the accuracy.
• Manage changes—Ensure that a change management process is used. This allows experts to review the changes before they are implemented and reduces the possibility that the change will cause problems. It also provides built-in documentation for changes.