We must make a distinction between policy and procedures (standards, guidelines, etc.).

A policy states "what" is to be done. It should be a high-level document that is immune to many types of changes, such as technology, ownership, management, reorganizations, etc

.A procedure describes "how" the policy is emplemented. It describes how the policy will be used, who will use it, who is responsible for it, how it is changed, basically, the nuts and bolts.

As an example, a company employee is issued a computer login configuration, consisting of a user-id and password.

The policy might say that each employee is responsible for the usage of their own logins, must change their password on a regular basis, could be fired for misuse, cannot use it to access non-authorized computers, etc.

The procedure might define how long the password will be, any repeating/special characters, how often the password gets changed, etc. In this manner, if the underlying computer systems change, then the processes will change, and not the policy. The policy is approved by senior management, but middle management is tasked with the implementation and day to day workings.

Data security policy should not need to identify where the data is located, but rather state that data is to be classified, and certain data is to have limited, authorized access.

These are just a few items, but I strongly believe that you must separate policy and proceedures.

Traffic rules have been around for many years, but none (of at least very, very few) talk about specific automobiles. And the reason is that they don't discuss the implementation of the traffic rules, they let the law enforcement agencies enforce the policies.

If companies developed policies, then a lot of this type of 'wandering' could be avoided.

Just my $0.02 worth.

MM