||There are a couple of things that I take exception to. Number one is the IT department thinking that it can determine company policy, number two is communication of policies that simply don’t exist.
An example would be something along the lines of an IT manager dictating that nobody in the company will use Instant Messaging because it poses a security risk. Was any consideration given to either what the business needs are, or to the risks that are being mitigated through having the policy?
It is possible that various departments need (or want – it’s not for the IT Manager to decide) to use instant messaging for communicating with clients. What should happen in all cases is that if there is a requirement within the business to utilize a particular service or solution then it must be the job of the IT department to provision it in a way that’s cost effective, secure, taking relevant risk into account, or make a very good case for why it can’t be done and propose alternatives.
Secondly, we have the case of the “you can’t do that because it’s company policy” scenario when the policy has been neither documented or justified because of risk. If the policy is not documented then it doesn’t exist. Stating that something is policy infers there are consequences for non-compliance: disconnection, loss of privileges, disciplinary action etc. If any policy is to be enforced then it must be written down and it must be based on there being a good reason for having it.
One of the challenges in managing security is to ensure that we don’t end up with a tail wagging the dog scenario. The business should be leading with its requirements for services and facilities that help it make a profit. The security team and the IT department should be working together to make sure that those requirements can be met securely. At the end of the day my salary is paid for by the good people in the company who generate the profits – I see my job being to help them make more not to be getting in the way!