6.2. You Want Me to Do What?
You can write all the policies that you want — but if you can't enforce them and your users don't follow them, they're useless. With security policies, you need to ensure that you have the appropriate support from across the organization in order to be successful. End users are an important part of this equation, but a host of other groups need to buy off on your policies, so you must account for all of them.
Chapter 7 talks about some of the numerous groups and teams you have to interface with when forming and deploying your security policies. You have to write and review the key components of your policies with these groups.
6.2.1. Being reasonable
Unreasonable policies can easily alienate everyone involved in the security policy process — from upper management to the end user. Never lose sight of the fact that all these people are your customers, and your (not so simple) task is to ensure that they're productive and happy, without risking security.
By keeping policies reasonable, you can actually increase the odds that employees follow the policies (ensuring your ultimate success in the task). The following sections discuss some sample policies, outlining what's reasonable and what's not.
Backup policies are very common these days — corporate data is extremely valuable, yet so much of it is stored on laptops and other PCs that can be lost or stolen, or simply fail. For these reasons, it makes a lot of sense to have a backup software ...