Security and compliance are often used interchangeably, but as the old rubric goes "compliance is not security".
One of real struggles in IT security and compliance is establishing and maintaining standards. Standards that are not only enforced for the existing infrastructure, but also standards that apply to the new and changing assets that make up all of what we call information technology. In these days of virtual assets and applications that cross so many boundaries, it's often hard to keep up with understanding the far reaching effects of products and services. As an example, SharePoint - Microsoft's biggest selling product ever - is being used in so many different ways, and often it's spread out across IT boundaries. It often ties into physical and virtual assets that have different operating systems, databases and certainly different browsers (that act as a UI). Making what may seem like an innocuous change (an upgrade on the version of SQL for example), might have unintended and wide reaching effects.
Well, as you might expect, I'm here to advocate for establishing policy that is comprehensive enough to account for today's assets as well as incorporates policy features that includes ways to introduce new pieces to the puzzle, as well as ways to retire the pieces that are no longer desirable (whether they are necessary or not is another discussion that I won't cover here today). IT policy, when codified, is often incomplete in that it covers the assets that exist in today's specific configuration. Having the foresight to include how to add and remove resources will save you a lot of effort and headaches. This really goes beyond a simple (or even complex) change control policy. It's something that you have to address from a security and compliance standpoint.
What do you tell people? How do you evangelize this message? You have to be able to get an understanding of how they are maintaining their compliance today - and what happens when assets are added and removed. Adding a Windows File Server? Not only do you need to plan on who gets access to create, read and delete files, you need to think about whether or not the data housed there will need to be audited, and how that auditing will be reported. Are there exceptions to the standard policy? For many IT departments, this is an afterthought - usually after being flagged for an audit (formal or informal).
This is where the overarching message of consistency needs to be applied. Policies that control security and compliance, need to be married to the polices that discuss adding and removing assets into or from an the infrastructure. Only when security and and compliance are a part of the "on boarding" process can you be assured that you have all the bases covered and you will remain compliant. I think we do a good job of talking to people about provisioning from a user perspective, but we really need to expand on that and talk about other assets as well - and make security and compliance a clear part of the process.
Remember that compliance is easiest when it's done ahead of time (as in before an audit or policy review)