!!! Overview
[{$pagename}] 

[Organizations] are complex entities, and few people indeed have a handle on just how complex they are.  As they get larger, organizational complexity increases exponentially against linear organization growth, because the number of linkages, [data] flows and [relationships] exponentially multiply.

[Policy] is an organization-level control.  When [policy] works, it is a very powerful tool.  When it doesn’t, it is ignored, or worse, becomes a cost.

Many years ago I worked for a major Unix workstation and server vendor.  This company had an [IT] [policy] which forbade the connection of any [Microsoft Windows] system to the company’s [network], without approval from the corporate vice president

At the same time, this company had a finance [policy] of encouraging employees to use their personally owned PCs for work purposes, and even provided company-paid anti-virus and firewall software to install to mitigate the risk of malware, which was a requirement of the finance policy.  All of these PCs ran Windows.

[Policy] schizophrenia.  So what was the end-result?  People used their PC’s without VP approval, but didn’t bother to install the software provided.  The first policy was stupid, and people ignored both it and the second actually sensible policy.  It was a terrible outcome, because the security team burned resources every malware attack, when those people without AV software caused problems around the company.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }] 
----
* [#1] - [Engineering Security Solutions at Layer 8 and Above|https://web.archive.org/web/20130524214239/http://blogs.rsa.com/engineering-security-solutions-at-layer-8-and-above/|target='_blank'] - based on information obtained 2018-08-10-