Although IT security policies are an important part of an enterprise's defence arsenal, security needs to be more than just a document. ZDNet Australia looks at some tips for educating users.

One respondent to a recent IT Manager channel poll on the issue of educating users about IT security talked about the importance of senior management buy-in. "While e-mail reminders are fine, I find the best way to assist management in helping raise the security bar is to conduct after-hours inspections," the respondent said.

He suggested checking to see who had left their machine unlocked, trying for guest accounts on PCs, and trying blank passwords on laptops. "It does not take long for word to get around, especially if you have senior management cover on this," he said.

Another IT professional, who wished to remain anonymous, said that he runs a program which takes a snapshot of hard drives and then imitates deleting it. "I find this useful in educating users to back up laptops or information on their hard drive to the server on a regular basis, and to discourage opening suspect e-mails," he said.

Moving security beyond simply having an IT security policy document is something other industry pundits emphasise as well.

Michael Warrilow, practice leader for security at META Group, said that these documents tend to be created once and forgotten about for a long period of time. However, it should be a process of small refinements, he said.

As for getting users to follow IT security policies, Warrilow said: "It comes down to trying to change human behaviour or the way people do things. I'm a believer that most employees want to do the right thing--make it simple for them, make it concise."

Research from META Group's Tom Scholtz has found that although information security continues to have a high corporate profile, "many organisations focus all their energies on searching for technological silver bullets".

"But implementing security technology without policy guidance is analogous to having police, courts, judges, and jails, but no law," Scholtz said. "Our research indicates that most written security policy within Global 2000 organisations is ineffectual because it tends to be developed independently of the business."

Scholtz suggests making policy management an ongoing process, rather than an ad-hoc activity. He also advises that effective compliance and enforcement requires other security policies, such as awareness communication and forensics, has to be aligned with the set policy and also needs to be integrated with the policy management process. "Policy enforcement models should be linked to HR policy, employment contracts, job responsibility models and disciplinary codes," Scholtz said.

Likewise, a report from industry analyst Gartner G2's Richard Mogull argued that security awareness has to be integrated into a company's structure and culture.

"Security awareness goes beyond annual training seminars or a few posters hung in the lobby," Mogull said. "In a truly secure company, awareness of security practices and policy permeates the organisation's culture and consciousness...A few systems administrators in the IT department can't be responsible for all the information security needs of [the] enterprise."

Mogull describes the building blocks of a security-aware enterprise as policies, plans, culture, organisational structure and education.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.