Enforcement

There is little point in creating policies if they are not enforced. Just imagine how ineffective building codes would be if they were not enforced. Enforcement is not a duty that can fall to a committee. Neither should the same operational group that is supposed to be providing service enforce policy. It's impossible to provide good customer service and be the police force at the same time. Usually enforcement is a function of the CIO's office and separated from operations so that customers see operations as helping solve the problem, rather than causing it.

Make sure policies are promulgated effectively to those who need to see them. As part of this effort, you might consider developing a training program around your policy suite and make sure you include this program in new employee orientation, management training, and other meetings as appropriate. Sometimes things like online quizzes, with prizes for completion, can be effective for measuring employee understanding of important policies.

Include an acknowledgment statement in every policy. Sometimes this is appropriate for individual users, but also consider having the leaders of organizations affected by the policy acknowledge that they've read it and that their organization is in compliance. If they can't sign a compliance statement, be sure to have a program for helping them develop a roadmap that takes them to compliance and require milestone reporting for major milestones in the roadmap.

One of the most effective techniques for measuring and encouraging compliance is to conduct periodic audits. Here are some important points to remember when planning and carrying out audits:

Remember that the point of policies and enforcement is to create a context within which a working digital identity infrastructure can be built and operated. Enforcement actions should consequently be aimed at helping projects, organizations, and employees come into compliance rather than extracting punishment.