ABSTRACT
A security policy architecture document should not be written unless it applies to protecting an enterprise asset and unless executive management is willing to enforce it. Another thing to remember is as a security policy architecture document is written, how is it going to be monitored and enforced? Therefore, what specific items or activities can be monitored that are documented within the security policy architecture document. The details from the security policy architecture documents are what the enterprise can use to develop and document security metrics or the return on security investments (see Figure 9.1).
