One of the problems with policy is that the intended message and the delivered message are often not the same. The business develops policy based on lots of different factors. Regulation, business needs, company culture, security, usability, etc…. In a perfect world they are crafted with input from many different LoBs and run through legal, HR, and user groups. They then get approved and put into practice at work. That is where the problem often begins. Once they are approved they are ignored. Not always purposefully but inadvertently. Someone sends out a notice to let everyone know that a new or updated policy in now in place and that they should read and become familiar with it.
Then everyone goes on their merry way and no one outside the group that wrote the policy knows what it says. Sure they have an idea because of the summary given in the announcement but that is about it for most people. Then something happens and someone is allowed to ignore the policy or maybe just to “alter” or “reinterpret” it. Like the situation that occurred when police officers were allowed to get around a policy that said that they were not to use their department issued communication devices for personal use. Instead of enforcing the policy their supervisor (or someone) said that they could use them for personal use as long as they paid for any overages occurred. This happened for a while until someone reviewed some messages that was sent and an officer was disciplined for what was in the message. This is where another part of the policy comes into play. You see officers were also told that policy stated that there should be no expectation of privacy when using department supplied equipment. Yet the officer felt that since he was paying for his personal messages that they should be private.
You may think that this is pretty clear cut. The officer is wrong, policy was clear and his discipline should stand. The problem is that the enforcement of the policy was not consistent with the intent of the policy and officers were allowed to ignore policy. In other words the message was not the message. What was intended and what was enforced were not the same and therefore the policy is weakened and possibly useless. There was no consistency in the intent and the implementation of the policy.
The team at Information Nation have a quick write up on this that is worth the read if for no other reason than it reminds us of the importance of consistency in how we apply policy. I think the bigger message is that there has to be a more concerted effort on part of the company to ensure that policies are understood, applied and enforced. The cycle of creating, announcing and forgetting has to end or we might as well quit creating them. We can use or time deploying firewalls and AV. All we really need. 
