Organizations want a single view of risk. Decision making becomes easier, as does talking with regulators or shareholders. Security policies offer a common way to view and control risks. In addition, regulations require the implementation of security policies. A few examples include the Sarbanes-Oxley (SOX) Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA). This is not unique to the United States. Global organizations face an array of similar laws and regulations, such as the European Data Protection Directive.

Having well-defined policies that govern user behavior ensures key risks are controlled in a consistent manner. These policies provide evidence of compliance to regulators. Regulators are increasingly looking at how security policies are applied. It’s not enough to have written policies. Regulators also want to see evidence that these policies are enforced.