I have an interesting example of Policy actually making things worse for you all today. It’s not horrible, but it illustrates the point and I can talk about it, so I will.

Today someone asked me if I knew that one of the floors of a facility I visit from time to time is a “No Visitors” area. This is due to the fact that the marketing teams have product prototypes as well as all of their collateral and other materials displayed or in-progress on this floor. I had to confess that I did not realize that. Even worse, most of the people who don’t reside in the “No Visitors” zone, as well as some who do, also don’t seem to be aware of that fact.

Enforcement is, as you would imagine, non-existent. That would be rude, after all.

To make matters worse, not only is there is no access control (doors or guards), signage or other markings telling people that this floor is off-limits to visitors, but the canteen which is open longer hours than the main cafeteria (for coffee, snacks, etc.) is located on this floor. As a result, there’s a steady stream of people who, even if they are employees, really have no business wandering around this floor doing so at any given time.

So we have a situation where the people who need to display confidential information do so, safe behind the warm fuzzy blanket of their “No Visitors” policy. Everyone else wanders around their area in blissful ignorance that they shouldn’t bring their visitors through there on the way to the canteen.

And I get to clean up more messes. Happy almost-Friday!

My reading of this example is that Policy is being used as an ineffective patch for a failure of Architecture. In other words, there is a de facto physical architecture that involves visitors walking through this department, and an unenforced (and possibly unenforceable) policy saying they shouldn’t.

If you want to protect the department, you probably need to change the physical architecture. Provide an alternative route to the canteen, and install enough barriers (like sleeping policemen) to discourage people taking short-cuts through the department. Or you move the marketing department to a different floor.

You still have the policy, but now the policy is used as a architectural design constraint rather than expecting the mere existence of a rule to alter people’s behaviour.

Alternatively, you try to change the behaviour of the marketing department. After all, there are fewer of them.

Interesting exemple.
The problem here doesn’t reside in the policy itself but the implementation of the policy.
The “intent” is to make this specific area a non-visitor area for obvious business needs; that’s perfectly acceptable, it is the intent based on the needs of this business unit/division.

The “how” is what is failing here; essentially, “how do we support that statement of intent”here failed.

Out of curiosity, what actions steps are you considering to resolve this?

I should have mentioned it in the original post, but I’m going to suggest implementation of key-carded doors and signage around the area, which is the entire floor of a large facility. The area in question is tens of thousands of square feet.

The explicit risk here is visitors, but I would argue there’s significant insider risk as well. Since there’s a stairwell that is both adjacent to the canteen and would be outside the secure area.

In the interim, I’ll recommend email reminders along with posted signs, maybe get myself a “Visitor” badge and wander through to see how long before someone challenges me. I doubt I could get a guard until doors could get built, but it might be worth asking.

We have the concept of “labs” which are physically secured spaces for engineering work, but not for “office” functions, so this could be an interesting test of the level of interest (i.e. willingness to spend) to solve these sorts of problems.

And, yes, I totally agree that the “How” is an essential piece of the puzzle. Or, as an auditing type I used to work with always put it, “Yes, but what’s the control?”