By Harris Weisman

In a way, your information security operation is like a crew boat. It operates most efficiently and effectively when everything is in harmony. To make sure the metaphorical oars all hit the water at the exact same time, you need to establish some rules. Forget about a coxswain; sound policies and strong management systems steer your crew.

Part of managing risk requires periodically evaluating your policies and your enforcement program, and updating the guidelines and technology that ensure employee and system adherence to them. Similarly, vendors now offer products that can convert policies into specific configuration criteria and commands.

Policy management isn't just a matter of good practice -- today's regulatory requirements make it an imperative. You can create and manage policy manually, or you can turn to automated tools that implement controls enabling them to adhere to various regulations. Either way, by taking steps to ensure policies are established and managed consistently, you can steer swiftly through threats of security breaches, regulatory glitches and failed audits.

Setting the rules

When it comes to writing policies, there are many resources available, including the SANS Institute's Security Policy Project and the