Policy enforcement is the process of ensuring that the enterprise's security policy is followed. It is targeted at the people and associated processes of the enterprise, not its technology. However, technology is a component of enforcement - technical controls are needed to support these processes. Make the corporate security policy enforceable by putting both process and controls in place.

Technical Controls
Without awareness of employee activities, the actions required to enforce the corporate security policy cannot be taken. This awareness is primarily gained through the use of audit and logging tools.

Generic or native logging functions such as syslog for server monitoring and Active Directory for user monitoring provides the minimum required capabilities, but the monitoring and reporting functionality of these tools is limited.

To provide enhanced user monitoring capabilities, solutions such as Identity and Access Management (IAM) are needed. IAM actively monitors user activity by tracking access to devices and files, recording who does what. IAM solutions are not for everyone due to both temporal and fiscal concerns. Typically they are only fully deployed by larger enterprises. However, IAM offers the pinnacle of capability when it comes to user activity monitoring and is becoming more common.

Paralleling the capabilities of IAM solutions for device monitoring are Policy Compliance solutions. This software uses a central management console to establish policy, and a set of distributed agents to both push that policy to the enterprise components and to gather information from them. These tools allow for detailed, consolidated reporting on what is happening with the enterprise's systems.

Management Processes
Once the information about user activity has been captured, it must be used. The responsibility for using that data and taking action falls to management with the support and guidance of human resources. To be justifiable at all times, enforcement must be consistent and, therefore, the procedures that are to be followed need to be clearly defined.

The enterprise can adopt one of two stances - either all policy contraventions are treated equally, or offences can be differentiated into more and less severe issues. Using at least two levels of distinction allows the enterprise flexibility in responding to problems. For example:

" Any contravention of the security policy by an employee of the company will be classified as either a violation (minor offense) or a breach (major offense).

" The first violation will result in a verbal warning.

" The second violation will result in a formal written warning.

" The third violation will result in immediate termination with cause.

" In the event of a breach, the company reserves the right to take any course of action up to and including immediate termination with cause.

Using at least two layers of differentiation allows the enterprise to eliminate any hint of arbitrariness in the actions it takes - any employee that is immediately terminated can be indicated to have breached, rather than violated, policy. Seemingly arbitrary action can undermine the effectiveness of the enforcement measures, and ultimately the policy itself, and so is to be avoided.

Having such a set of rules and actually adhering to them are two different propositions. The actions specified must be taken consistently in order for them to maintain their effectiveness - deterrents lose their effectiveness to deter if they are not applied or are applied inconsistently.

Recommendations
1. Establish how the policy adherence will be enforced and communicate it. Make employees aware that actions will be tracked and that consequences exist for those that are inappropriate. A hierarchy of severity of inappropriate actions needs to be part of this communication as well, as do the specific actions that will be taken in each case.

2. Assign responsibility for enforcing the policy. Both management and Human Resources will need to be involved in the process, but one group will need to be empowered to take action. Typically this will be management under the directed guidance of HR. These lines of communication need to be carefully built before the first problem occurs so that appropriate action can be efficiently taken.

3. Determine what aspects of policy compliance need to be tracked. Basic logging capability is inherent in the everyday tools deployed across the enterprise If, however, the security policy is exacting and specific, these native solutions may not have sufficient functionality. The more granular the corporate requirements, the higher the need for specialized tools, such as IAM and Policy Compliance.

4. Advanced tools come with other capabilities so choose wisely. An advanced monitoring and logging solution, whether IAM or a Policy Compliance tool, offers security capabilities beyond just detailed logging. Given the expense associated with these solutions, pick the one with the broadest applicability to the enterprise's needs by understanding the enterprise's global security goals.

Bottom Line
Enforcing security policy is a people process that needs to be supported by technological controls. Ensure that both exist within the enterprise to make certain that the dictates of the policy are followed.