In case you are wondering, simply creating a policy to enforce behavior of your people won't work.
The Computerworld "Security Manager's Journal" this week has a piece on discovering that people aren't following policy. After some hunting and discussion with a number of people, he decides to do a better job of communicating the policies, and he wants to find some policy management software (checks whether people read and understand). We had this stuff at my old company, and I suspect most of us forgot the policies shortly after we "read and understood" them. They had very little to do with how our regular business ran. I should admit that the system at least ensured everyone had heard that there was a policy.
Of course, policies and standard procedures are a problem, whether they are associated with IT or any other function of the business. The best "uptake" of these policies I have seen are when they are reinforced throughout the work environment. For example, we had some training on "good e-mail practice," and two days later our leadership were applying what they learned by suggesting an e-conversation stop because of the nature of the material.
It's every employee's responsibility to periodically review the company intranet for new information and to review policies and guidelines, I stressed. And I explained that by reviewing the policies, employees can help the company identify suspicious activity and prevent malicious code from being introduced into the network.
But that's not enough. I'm considering hosting a series of brown-bag lunch meetings and asking the HR department send out e-mails stressing the need to adhere to and understand security policies. And I'm looking into deploying new tools that can help me enforce policy dissemination.