Failing to do a risk assessment before crafting a policy, but it is a crucial step many overlook. With Web Services Security Policy Language, the policy is in place.

Having a 'one-size-fits-all' mentality. But writing a security policy that is going to work for you means more than just editing. While you might use a template or borrow from another organization's example, after your risk assessment, it is important to customize your policy for what YOUR organization needs. They have a very detailed lay out. An A, B,C if you will.
Failing to have a standard template. Have consistency for policies within your organization, policy and governance, and awareness training. There is extensive training
Having policies that only look good on paper.
Organizations that are failing to do sufficient and frequent compliance checking.
This is recommended but no time of checking
Failing to get management to buy in to the policy
Everyone needs to abide by security policy, said Cresson Wood. That includes the most high-level staff members. Again detailed policy for all
Writing policy after a system is deployed
Security needs to be part of the systems development process, according to Cresson Wood, who said he often sees patch management programs that clients have put in place that are out of date and miss the mark of what is really going on in security.
Lack of Security policy needs to be reevaluated at least once a year, perhaps even more frequently follow up
This is not written but recommended