To this point, we have covered several technologies to protect enterprise systems, and the final component is process related, which is policy enforcement. We covered security standards and policies in Chapter 3, Security As a Process prior to any protection topics being presented. This is because in order to have a position on how to protect systems in the enterprise, the trust models need to be built and required policies written as a guide to what methods to employ. The benefit of having policies is that there is a communicated enterprise-wide statement on how the enterprise expects employees to use assets and consequences to actions contrary to policy statements are also made explicit.

There is a standard set of policies typical to all enterprises across industries such as acceptable use and technology use. Regardless of the controls implemented to protect the system, there will be administrators and other users with elevated privileges and this access must be controlled and monitored. In addition to this aspect of system operations, the system may be vulnerable to threats from the network. Users who violate policies by scanning or attacking an enterprise system should be handled in accordance to the policies written. Enforcement may come in the form of an implemented tool, but it may also come from the monitoring of user activity on systems. Organizations must determine the method of policy enforcement, but ultimately the success of policy enforcement will determine the overall security posture of the enterprise.