Discussion on:

Take the "policy" out of IT

I liked your article and I have to say I agree with it overall.

We are in the "process" of doing just this type of policy overdrive and many times it alienates our clients and/or tends to get in the way of IT innovation.

But one part I think that is somewhat true is that policy allows ones to protect themselves from those that would try to blame IT or the company for something that goes wrong, e.g. loss of PII data because of lack policy. With the policy in hand one can simply set it before the accusers and say, "See we have a policy about this".

As they say ignorance of the law is not an excuse.

When I started there was no IT person and entirely draconian policies of no phone or internet for personal use.

As the IT person early on, it was my job to enforce this policy by essentially blocking any non-work-related sites they would go to.

I introduced the concept of nuance to the policy and, over time, I have shifted it to a general policy that is designed to protect the company from liability of them doing something stupid, and keeps them accountable for what they do if they are abusing through overuse or their productivity is suffering.

I still get to be the bad guy so don't expect any gratitude from the rank and file.

Many times IT is put in the position of creating a policy that really has nothing to do with IT, in the sense of who should craft such a document.

For me to tell people they can't access Facebook at work or use their iPhone to on the company network is not in my purview. This sits squarely in the company leadership and oversight.

"Treat your employees like adults until proven otherwise."

This idea was quickly lost as soon as Internet access was given. The majority quickly became the offenders, not the prudent.

IT creates policy to define responsibilities, limit liability, and protect company interests. As Stephen stated above, the best defense is "our policy states".

I would love to limit policies and oversite, but the user base has proven that cannot be allowed.

HR is the same way. Many policies are not of importance to the employee, they are for the protection of the company and its assets. If you raise a concern or challenge a mandate, you will be immediately referred to HR policy X.

Laws are for the lawless, the self controlled due not require them.

I absolutely agree with you. There has to be a written explanation of the do's and don'ts of working for any particular equipment of any company lest the employees know nothing of what's expected of them.
On top of that, many have NO idea of what the "policies" prevent and are seen s simply "rules" without reason. So TEACHING is a necessary evil in those areas; so is testing if they're expected to be responsible for what they say/do on the 'net. Many aren't aware of how easy it is to give out personal/company information. How are the supposed to know?
Copy each and every relevant "policy" into their job descrips? For a 500 employee company that's 500 copies of the same rules to each person. Ignorance of the "law" IS acceptable when there is NO LAW stated to break. But when reading the poliicies and not keeping track of updates is THEIR given responsibility and mentioned in their job description or somewehere related to them, THEN ignorance is no excuse. Realiism and reality will bite everyone on the ass; so protect yourself, write it down, and require reading it monthly say, or whenever a policy is announced as changed.
I cannot imagine the non-thinking abilities of one who would say that there should be no protection for the company or its employees writen in easly locatable, readable locations. THEN you have a basis for punishment, even dismissal if necessary, where on the other hand, you'll likely only open yourself to a lot of law suits including OSHA, 9xxxx incorporations, and the list goes on.
To argue against policy making is to argue against your own company, department, job entitlement and more.

I was responsible for generating and managing IT policies and procedures at one point in my career and like you I too fantasized daily about starting a big fire in the back parking lot and feeding it with tome after tome of policies and procedures manuals until they were reduced to the useless pile of ash that I viewed them as. That was until my most senior and experienced systems programmer decided to abuse his super-user level of access to the envornment and, when his services were terminated and he sued the comapny, I ended up in the Industrial Relations court as the star witness.

I was never so happy to be able to rely on the volumes of policies that we had produced which clearly expressed the company's stand on the actions he had taken and which as a senior officer he had signed off on and agreed to adhere to in the execution of his duties - obviously without reading them before signing. After the initial assertion that the systems programmer was not aware that what he had done was prohibited, the first request made by the judge was for the bank to provide proof in its policies and procedures that the relevant information had been documented and circulated to staff. Without our beautiful policies and procedures and our well kept circulation records the bank would have lost and would have paid a couple million dollars in compensation and possibly have to reinstate someone who could no longer be trusted into a highly sensitive job.

There may be some industries that can play fast and loose with policies and procedures and leave things up to the inherent integrity of people but the financial industry and possibly some others cannot afford to do that because the stakes are simply too high.

Employees prove otherwise constantly. They prove otherwise every time they click on spam, phishing links and malicious attachments in email. They prove it by being careless with smartphones by not setting up a password on the device then proceeding to loose it. Where do I end? End users cannot be trusted to keep data secure regardless of what fantasy world you want to create with no policies. Regardless of how sad it is, one of the most important jobs of the IT department is to protect the user from the user and that takes policies and restrictions.

Treat your employees like adults until proven otherwise: That's a good mantra for mgmnt and has nothing to do with "policy". Without policy, thos who do NOT follow the rules need something in writing to alert them tothe dos and don'ts of using the company's equipment.

comes very close to what I (and maybe others) consider spam. Consider using relevant titles for your posts.

Your post survives my survey, but somebody else may click the link.

back before win95 arrived on the scene,
a PC was a device that had to be learned like learning to drive

you had to at least learn basic skills like file management, and the basics of how the guts worked etc. before you went out and bought one

the way it is now, as of the advent of win95,
the whole focus has been shifted to:

A PC is a type of appliance in the same category as a toaster:
- no education required
- go to the store and buy one
- take it home plug it in and start using it

I've been around long enough that, I don't get hosed by attachments, spam, badsites.OMG, phishing scams etc.
and even bad disks don't hurt much,
other than the time wasted in replacing and copying the files back from the other disk in the pair (all my disks are paired, with the exception of the C:\ partition which is backed up to image)

I also configure: GPEdit & RegEdit etc my systems to the point of,
the average end user would have trouble getting it to do anything for them

I lock down IE so that it's useless for most sites
ie. I set every "Zone" to High Security settings tweak it, and then disable it further in the Advanced Tab

I have never once seen an AV popup alert from the system tray AV icon in the last 9 years while using win2K & XP
(with the exception of the EICAR test file and false positives on older tools like LeakTest from GRC)

and, today with AV installed, people are still getting hosed even on win7

I have been given many older systems of various vintages and never once did I receive a clean win9x & up system,
the only clean system I was given was an old 80386 "DOS only" box that was never connected to anything but power

but as long as the mantra from Redmond is:
Go buy it and use it, without first getting any basic PC, security, web safty etc. education
the problem of end users causing problems will continue on indefinitely!

If you said "Apple" then I would agree with your post to a decent degree. My Sister in law was sold a MacBook and the guy in the shop told her not to bother with any firewall, AV, etc. because "only Windows users are at risk on the internet". Whereas every Windows version in recent memory has built in firewall and increasing levels of ground level security. In fact this is what peeved most users about the introduction of Vista was UAC and other stuff brought in for security reasons. Users don't like security. They don't like remembering passwords. Never have and never will.

with Apple it was the same story
in the beginning you had to have a clue how to operate the thing

the first Apple I used, IIe had a tape drive and you had to type Load program name at the prompt and even when we got the 5.25" floppy you still had to load programs that way

and now they're just as guilty of the
a PC / Mac is as easy as a Toaster
mentality

so the problem with both is neither are as concerned about you the end user learning how to properly use the full feature set of the OS including the underlying guts, security, self-directed file management etc. as they are about padding their wallets with annual millions of units sold verses the annual few thousand units sold in the earlier years

specifically the sales of new PC's & OS discs jumped up significantly after win95 because of the PC in every home Toaster type marketing

I only ever met 5 people who had win3.1x on a PC @ home in the 90's
but nearly everyone I meet now has had some level of win9x & up usage
back then grandma & grandpa weren't interested in DOS & win3.1x because it required "Learning" something about how to use it

now you go to the store and they throw one at you and say: "here ya go, ..."
(now go get infected and bring it back for service)

the shops around here in the win3.1x days offered a day or two of 1 hour simple instruction on how the system worked and how to use it
including installing DOS & win3.1x on yer new system because only a very small amount of systems were OS pre-installed,
until win95 came along

now, it's here ya go ... we've got yer money now get lost!

We use Windows 7 and Server 2008R2 so all this talk of ancient history is fun but irrelivant.

Lets face it my local Ford dealer doesn't offer driving lessons. Don't buy stuff you can't operate. Simple.

"Ford never told me I couldn't drink a bottle of Jack D before driving, boo hoo."

Your Ford dealer cannot sell you an automobile unless you already have a driver's license. Where did you get that training?

Don't buy stuff you can't operate. Simple.

Simple-minded, perhaps...

Computer users aren't required by law to have an operator's license or liability insurance, or to be a minimum age; and aren't taught safe operation as part of their school curriculum.

Driver ed is only part of school curriculum in the US. Most European countries require prospective drivers to be 18 and to take an independent, certified driver training course that costs $2k or more.

The decline in the cost of systems is what allows consumers to have a computer at home. If a laptop computer still cost the 2011 equivalent of 1990's $4000, it wouldn't matter what the OS looked like. People didn't mind spending $150 to learn how to use a $4000 device; there's no point in spending $150 to learn how to use a $500 one, regardless of OS.

the way the OS looks is not the issue

the main thrust of "The MS" marketing strategy since win95 has been

"to put a windows PC in every home"

and with that marketing strategy comes
more sales = lower costs = more sales =
every normal person, every genius and every idiot owns at least one

I have seen both sides of that coin, one as a end user, and the other as an enforcer of company policy.

My user experience was first encountered shortly after I started with my current employer. For whatever reason, employees were NOT allowed to change the wallpaper on our desktops. Now, I am a fan of a Alicia Keys; and, unaware of that stupid policy, put a quite flattering photo of her (you can find it here: http://www.thewallpapers.org/download/20708/alicia-keys-030-wallpaper/1600x1200) as my desktop.

God, did the s--- hit that fan. I had it out with the brainless wonder (aka `damagement`) in HR who proposed that rule. As a result of me challenging that policy, employees were allowed to change wallpaper as long as it was NOT objectionable (like swimsuit photos). What it took was the exercise of common sense, something absolutely missing in a `zero tolerance` environment (of `damagement`).

But, as an IT enforcer, there are times and places for a `zero-tolerance` policy. IT had determined that someone was using the company internet connection to make files available to people who `knew where to knock`. The type of files involved could have invited a visit from `rights monitoring` organizations. It hurt morale when one of our department got fired for doing that; but, the company could have taken a serious hit financially if that behavior was allowed to continue. Sometimes, you have no choice.

Policies can not always be a `one size fits all` kind of situation.

We enforce a solid blue background with company logo centered on the desktop. Management wants a uniform and professional look to our desktops throughout the organization and I agree with them. In the customer areas of our facilities, customers will at times see the background. We as a company want to portray a professional image at all times to our customers. Your background being your favorite sports team, comic, celebrity or whatever does not do that.

Treat your employees like adults until proven otherwise: Right, in this context, you're saying to have NO written rules to state the company's expectations of using its equipment. Law suits will be the least of such a company's problems.

Help staff use new tools appropriately: Fine if you don't care who gets the company's confidential information displayed on butt-book and other logicaly inviting info stealers in spam, unsafe sites, etc.. What reason are you going to use to dismiss them; failure to do what they weren't expected to do?
This goes a lot deeper into a comany's guts than you apparently realize. Such a company is going to be full of spies, human and digital both.

In the past i was really policy minded, but this piece of text explains exactly what happens when IT enforces policies. I think it is a good eye opener!
Patrick

Sorry Pat, but if you are unaware of legal matters covered by IT policies than you should really not list "Executive IS/IT Management (CIO, CTO)" in your profile.

Surely, the context in which the original post was written is fine from the perspective of helpdesk staff (if it is an eye opener for you, than I am really wondering about your position description now).

That said,

1.) The real purpose of IT policy is to maintain work ethics. That is, most of the IT staff practicing ethical approach (possibly) do not need one (they might use it though to get informed on how their employer thinks about certain things). You need one for those who do not practice appropriate work ethics. Not having one, can cost you a lot of money (especially in Holland where you list that you come from). I am not even going to start on security policies, it could be another eye opener for you, I suspect.

2.) Of course; IT policies that have been written and maintained by idiots are useless (unfortunately most of them are). A proper policy should not hinder anyone from performing their work properly

3.) "A policy is typically described as a principle or rule to guide decisions and achieve rational outcome(s). The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol. Whereas a policy will contain the 'what' and the 'why', procedures or protocols contain the 'what', the 'how', the 'where', and the 'when'" - under above definition, could you tell me again what is wrong with a properly written policy?

Judging by your posts and real life (I have run several big IT projects last couple of years with budgets of 4M Euro+) - it is shocking to see and experience how quickly the quality of IT staff is deteriorating in the industry. Over a few years, I suspect it will be really hard to find and employ people that truly know what they are talking about, I am having difficulties doing so already.

You say: "Judging by your posts and real life (I have run several big IT projects last couple of years with budgets of 4M Euro+) - it is shocking to see and experience how quickly the quality of IT staff is deteriorating in the industry."

I agree. I am amazed that there are IT people who claim to be college graduates and yet cannot write a simple sentence without grammatical and spelling errors.

...please keep in mind that not all the people here are native English speakers, or use English as primary language at their job (myself included).

It is the content that is worrying me, such as extremely poor argumentation, total absence of fact; and/ or obvious lack of knowledge or experience -- more than grammatical or spelling errors.

My only argument is that Adults cannot follow rules that do not exist. What may seem to be common sense to I.T. may not be common for the rest of the company. I really hate developing policies that cover possible abuses, but it is a necessary evil.

I think my biggest confusion and disagreement about what has been said or implied in the article and earlier responses is why a detailed policy is mutually exclusive with conducting layman education with users.
As others have pointed out their responses, policies covering the essential scope and purpose for company resources protect the organization in legal and disciplinary settings. However, the kind of proactive (or more importantly, interactive) education of the company leadership?s views on appropriate computing in the workplace is not mutually exclusive to having a complete written policy.
I argue that comments like users should keep up to date with IT guidelines without coaching is a lackadaisical position to take as an IT department. Giving a concise summary of the changes at regular intervals in smaller servings is a more palatable alternative that encourages understanding and compliance. Following up with engaging user education and demonstrations also reinforces the value of IT policies and provides a feedback mechanism for users to critique new and existing policy for the better.

I rewrote our policy. The previous version was 28 pages of "thou shalt not" comandments and vieled threats. It was awful. I wouldn't read it...

I have rewritten it as a 4 page document which outlines the various risks which the company wishes to mitigate itself against. HR and Senior Management still wanted to add stuff which detracts from its beautiful simplicity but basically it is very high level. Why get into "Facebook" or "orkut" or whatever. Just say "IT systems are provided for business use and excessive personal use may result in disciplinary action." This covers pretty much all eventualities. "use of IT systems fot access materials which are inappropriate for the office environment may lead to..."

Our last policy had whole lists of types of websites you can't go to. Why bother? People know what is and isn't OK.

But sometimes they don't, or they don't care.

I've seen logs from Websense where the same user repeatedly tried to access the same blocked web site, despite the fact that each access told him/her that the site was blocked by agnecy policy (which was actually pretty loose).

My company has disabled all e-mail links in all e-mails as corporate policy, and HR has an announcement about it. They sent out an email and to view the new policy -- just click the link!!!!!!!!!!

IT's only responsibility is to ENFORCE the policies outlined by management. You don't see police officers writing legislation and rendering judgement do you? Their job is to enforce written law.

If your IT department is writing AUPs or other policies, you're already starting out in a bad place. The people who have the authority to hold others accountable for infractions should be the ones writing the policy.

I think the article points out well how NOT to communicate policies in general. The example of HR spam puts it in the right light. However lack of IT Policies is asking for a world of hurt for the entire company. One worm attack can cause hours or even days of diminished productivity. Let's also not forget that IT policies apply to IT. Imagine no policy for application access? User creation? Incident resoultion?

This article indicates a lack of maturity and experience. From the typographical errors to the failure to understand that policies are necessary to avoid legal issues, the article indicates that the author does not take responsibility for his work. Sorry to be so harsh. IT people tend to spend way too much time reacting and no where near enough time planning. They react with the quickest, easiest solution they can find and ignore the potential consequences of what is often an irresponsible and inadequate effort. This ends up wasting business resources in the long run. I've seen it happen on several occassions, where an employee fails to follow policy and ends up wasting money. Your point seems to be that if the employee is not going to follow the policy anyway, why have one? In the end the policy becomes the basis to eliminate such employees without risk of a wrongful termination suit.

The author must have never worked for a company that was the subject of a sexual harassment lawsuit because one of the users was viewing "Adult Content" withing earshot/view of other employees.
It's been my experience that policies are in place more for legal-backing and to set expectations from employees, not to be "Big Brother" or "The Facebook Police".
Speaking of Facebook, my comapny blocks it because of security and privacy reasons. People are going to find ways to waste time and "Take 5" regardless of the sites we do and don't allow.

Frankly speaking, most of the articles Patrick writes for this site just show how out of touch he really is with those who work in IT. It seems his view of IT professionals is one of the classic unkempt, socially-inept nerd who has a superiority complex.

...as the phrases used and general stance of the article relies on the fallacy that humans are generally "good" and left to themselves will find the best options and opportunities.

However, as most here have given witness to, mankind defaults to self-interest and dismissal of authority. "I will do as I please." This same ideal is tempered in a public setting to maintain social norms, but without policy (i.e. rules), only self-interest is served.

Now these policies and rules can be both external and internal. Some things we are forced to do, some we internalize and adhere to without external pressure.

So are we truly discussing the effectiveness and need of policy or the depravity of man?

This article is way off base for many if not most organizations in my estimation. I work as a government contractor supporting the DoD. Can I even imagine not having IT policies in this environment? Of course, in this case, national security is often at stake!

No wonder. Those that can't...teach. Those that can't teach...consult. Scary.

If you wish to have an enterprise with those options, I wish you good luck ... In too many situations in my career I've seen people act quite more like kids than adults in a badly managed or not-at-all managed environment...

Worst ever, you want to treat people like adults, but their knowledge about IT is often worse than one than a 5 years old kid. What I mean, you may have 45 years old but your comprehension of a computer maybe not as good as a 5 years old kid. So, how can you make sure that those people perform the good actions when they aren't aware of half what they are doing in front of a computer if there are no restrictions in force?

And I'm not talking about malwares, viruses, and security threats (internal are always more dangerous than external, remember?), legal obligations....

I think that what is not aligning with your enterprise goals must not be authorized. I'm open to check a new thing coming out if it may help productivity but never to let everything let loose (you can call me old mentality if you wish, I don't mind...). For example, if people need internal IM or web based product for intranet, do not go for Facebook. Choose something locked for an enterprise like yammer or internal only IM like OCS from Microsoft or others...

With rules of conduct, chaos will take place, and money will fly through windows ... who can afford that in these days?

We have tried this approach in the past...and we end up being the kid tied to the flagpole during lunch hour.

It's a great concept, but unfortunately, we are dealing with individuals who don't mind if intellectual property is compromised. Now, if we were to let everyone come to their house and muck up things for a few days on their home units, then maybe, just maybe, they would have a better comprehension of what lengths we go through to protect them, their business property and our company.

Just my 2cents

Over the past 30 years, I've seen everything from an admin assistant who was on ebay for an average of 6 hours a day--- to an engineer who edited limewire music (22GB of it!) for 5 hours a day. So-- I've evolved an IT policy that is a six-page contract that each employee MUST sign. Without the legaleze, here are the salient points:
1. These are the company's computers, NOT YOURS!
2. You may use the COMPANY computers for work-related tasks and NOTHING else.
3. You may not load anything on Company computers without approval.
4. If you don't know what you can or cannot do, ASK!
5. If you violate these rules, you may be fired, AND you will be personally liable for any cost that the Company incurs because of your violation.
6. If this is not simple enough for you, you are fired NOW as you are too juvenile to work here.

Work is WORK-- it is not liesure time, and the IT equipment is no more your personal property that the chair we gave you to sit in.

The biggest problem in most firms IS NOT who should make policy-- It is finding anyone in management that has the minimal balls needed to ENFORCE simple, common-sense rules.

My recommendation? Fire someone from time to time just to let everyone know you are not willing to hand ALL jobs over to countries where they are making $3.75 an hour-- or LESS!

Draconian? No. Just our little way of making sure we have the money in the bank to back up that paycheck you get on a regular basis.

7. From the moment you enter the company, every second spent belongs to the company. If you, so much as spend one single solitary second on anything other than company business, you will be terminated with extreme prejudice.

Every second? Don't be silly! We're running companies here-- not the work Camp in "Cool Hand Luke"! But-- employees do need to "Get their minds right". (Google 'Cool Hand Luke' if you have one of those wasted seconds).

Getting your mind right is the process of learning how to use good judgment. AND-- for the past 30 years, we've been "educating" our kids against JUDGING ANYTHING! This is a PC reaction to the IMPROPER and FLAWED judgments made by bigots, sexists, and hedonistic idiots with no self control-- who did not want to be "judged" for showing up at work hung over or stoned!

Management is all about judgment and discretion. It is difficult. That's (theoretically) why managers are supposed to be getting the "big bucks". But, sometime back in the '70's, we saw that 'judgments' ended up with somebody "feeling bad" 'cause they were judged to be less competent than their peers-- or, even worse, they were found to be doing (dare I say it?) SOMETHING WRONG! This made the person being judged "feel badly". Then, we were convinced that self esteem was the most important thing in life-- even if you were a bleeding, lazy idiot! WE WERE CONVINCED THAT WE ARE ALL SO SPINELESS THAT WE COULDN'T TAKE THE PROCESS OF CRITICISM THAT WOULD LET US LEARN HOW TO BE BETTER AT-- WHATEVER!

The Solution? Simple. No more judging people. No matter what.

The alternative? POLICIES! FORMS! RULES! PAPERWORK!

Examples? Zero tolerance rules in schools. Little Johnny can't take his prescription meds to school to be administered by the school nurse. Why? Zero drug tolerance. So, Johnny stays home. Why? 'Cause the school administrators are so "judgement averse" that they would rather "cover their butts" with the Zero Tolerance Policy instead of analyzing the individual situation (with their brains--which have by now atrophied!).

A bigger example? In the 1870's we invented the Civil Service system to eliminate the "abuse of discretion" in hiring (abuses like nepotism, cronie-ism, etc.). The result? a paper system so massive that it has eliminated ANY discretion in hiring and firing of gov't. employees! Decisions are NEVER on the heads of the managers-- it's always a system or policy thing! A guy shows up with a bomb in his underwear, and no one gets fired-- instead, we're told it was a "system problem."

What's wrong with this? THE WORLD, AND THE WORKPLACE IS WAY TOO COMPLICATED FOR A PAPER SET OF RULES TO COVER EVERYTHING! THE POLICIES AND PAPERWORK BECOME A CRUTCH FOR MANAGERS TO ABDICATE THEIR DUTY TO USE GOOD JUDGMENT! THIS IS SEEN BY EMPLOYEES--AND STUDENTS. THEY LEARN THAT ANYTHING GOES IF IT IS NOT IN THE POLICY. AND, EVERYTHING CANNOT BE IN THE POLICY.

The PC anti-judgment, anti-discretion attitude is why we have IT abuse in the first place. We need managers who set good examples by constantly pointing out good AND BAD behavior.

Every second? Of course not. We need employees who are human enough to congratulate their fellow workers on big life events-- to sympathize with them in their tragedies-- to discuss why the Steelers won, or why the Browns lost (short discussion there!).

We DON'T need somebody downloading 12,000 songs for their Ipod-- or forwarding dirty jokes to their cousin in emails. Nor do we need Elf Bowling, Holiday screensavers with spyware, or Facebook Virus Scams.

No, you should NOT be fired if you Google the 'Cool Hand Luke' reference above. Hey, you might use it in your next presentation speech! BUT--if you spend half of the morning on IMDB cause you want to research every Paul Newman movie-- That's another matter! THAT'S WHERE MANAGERIAL JUDGMENT COMES IN! IF YOU DON'T KNOW THE DIFFERENCE, OR, IF YOU DON'T HAVE THE YA-YA'S TO MAKE THE ARGUMENT TO THE HR DEPARTMENT-- THEN, IN MY JUDGMENT, YOU ARE NOT A MANAGER! AND, FOR GOODNESS SAKE, PLEASE DON'T EXPECT SOMEBODY IN THE IT DEPT. TO WRITE YOU A POLICY THAT YOU CAN HANG YOUR HAT ON IN EVERY SIMILAR CASE! ALSO, IF YOU ARE THAT JUDGMENT AVERSE, YOU SHOULD EXPECT YOUR COMPANY TO PUT YOU BACK INTO THE JOB MARKET WHEN A FIRM WITH REAL MANAGERS ROLLS OVER YOUR COMPANY!

Remember a year ago when Wall Street nearly caused the apocalypse when they said it wasn't their fault 'cause they had paperwork from other analysts who said sub-primes were really OK? They did that INSTEAD of using GOOD JUDGMENT!

SO-- Write a policy. Make it general enough to cover the interests of the company, to protect it legally, to ensure security. AND make it clear that the "micro" and situation-specific details are THE RESPONSIBILITY OF MANAGERS IN THEIR OWN JUDGMENT AND DISCRETION. If your managers have no capacity for judgment and discretion, fire THEM!