Enforcement
Having policy as written document isn’t enough. If there is violation, it must be enforced thru correctional approach.
In real world, this is done by disciplinary action, imposing fine or even imprisonment depending on severity of violation. This will reinforce the attitude for policy compliance. An example is jumping the light detected by traffic camera. At best if there is no traffic accident, impose fine and deduct marks to remind this act will hurt other road users. At worst this misbehavior has triggered traffic accident, it might be resulted in criminal offence for imprisonment.
In cyber world, the situation is similar.
- Stipulate the cybersecurity directive (policy) and indicate what is the protection objective
- Establish policy exception process
- Define the levels of correctional action per violation nature
- And most importantly, raise awareness to educate all levels why the policy must be complied for what purpose and consequence of violation