Policy vs Enforcement

It's a bit of a personal gripe of mine when people hide behind policies.  I'm not talking specifically about the IT or indeed Law professions, but in everyday life.  It's never enough to create a policy and share it.  Writing a policy is now more of a "tick the box" exercise; yes it needs to be completed to ensure correct guidelines are set, but this is only the initiation period.  The main body of work for policy setting is enforcing the policy and ensuring that it is being followed by inserting correct measures and controls.  Obviously I am angling towards IT Security Policies now which should be adhered by all company staff, rather than computer or network security policies which are usually (or should be!) fixed.  Penetration testing, to a certain extent, can be seen as another "tick the box" exercise in some respects, although vitally important in others.  Both creating IT policies for our end users and penetration testing can show the firms board level members that the correct thought process is being followed in order to mitigate security issues or worries, but the enforcement is sometimes lost after nothing beyond that policy is considered or actioned.

In it's simplist form, I'll give an example of an IT policy which I believe to be correct...

  1. A meeting between IT and the business determines that no users should use Dropbox to upload company documents.
  2. A policy is written regarding Dropbox usage, in conjunction with both IT and the business.
  3. The policy is shared with the business.
  4. The policy becomes part of a new starter induction programme, so no one is missed going forward.
  5. Controls, measures and alarms are put in place which triggers when Dropbox FTP/HTML traffic is found.
  6. Those triggers are followed up on, and individuals are spoken to proactively.
  7. A review of the policy and the alarms/measures is carried out every X period and the policy reviewed, or shared again.

The above is just one example of a system which might be being misused, and unknowingly.  An article on ZNet shows that in the early part of 2014, 90% of data breaches were preventable, with 29% being caused either accidentally or maliciously by employees.  A lot of money is spent on perimiter defense (firewalls/network security) and client security (anti-virus/admin access), but an easy and relatively costless way of keeping safe maybe doesn't hold as much importance in todays landscape.