The security policy life cycle, as suggested by J. Craig Lowery [1] in a recent white paper, is a model incorporating the following nine phases:
Draft. Representative committees write policies.
Adopt. Administration reviews and approves policies.
Implement. Administration defines procedures to implement the policies.
Educate. Users receive training about the new policies and procedures.
Deploy. Policies are put into effect; related technical solutions are deployed.
Monitor. Security team observes the computing environment for policy violations.
Enforce. Violators are punished as prescribed by policy.
Reevaluate. Policies are reviewed for continued relevance and accuracy.
Revise . Policies are revised as needed to keep them current, relevant, and accurate.