Ah, policy.  The magic document that says how things should be done.  I love them the most when they haven't been reviewed in 6 months.  Why?  The world wasn't the same 6 months ago: New laws, new trends, ideas, methods, products, people (remember them?), all of them are changing in 6 months.  Why am I picking on 6 months?  I just made it up - if your shop is more dynamic, lean and fast paced, it might even be shorter.  Most major companies don't change them for years, good companies review them often.  Notice I didn't say change? 

Policies are great when they are simple, clear and most importantly, understandable.  Years ago, Steve Riley (no relation) gave a talk about asking for the rules governing a firewall and received 2 reams of paper.  No surprise, it wasn't effective.  As he put it "an exception, to the exception, to the exception" let traffic in the network that never should've been allowed.  Due to its complexity, no one knew what the firewall was doing.  This should serve as the initial indication that it's time to review the policy, simplify it and put it into practice.

This is totally my opinion, but policy should have solid, clear reason behind it and every item within it.  Keeping company morale isn't one of them. Why? Morale doesn't mean a thing if the business goes belly up because someone let their kid download porn and the media finds out a system with customer data was compromised by a big DUH.  Ok, so it's not always that drastic (is it?), but its not the driving force, the business IS.  

A while back when I was running a terminal service cluster, we disabled flash.  Why? Some sites spiked the cpu load to high values and since we couldn't control where they went (business driven), we just controlled the flash.  No problem, flash disabled, performance remained consistent for all users instantly.  Within 24 hours while walking though the halls I was stopped by one of our TS users and asked, and I quote "Hey, why doesn't mountain dew dot com come up anymore?" to which I explained our policy (it slows the system down, shared resources, etc) and I was amazed by the response : "well, we need to turn it back on, I need to get to mountain dew dot com, this is unacceptable." and for the record, this was a municipal govt agency.  This user went to their supervisor, and I use that term loosely, and I was told to "just turn it back on".  Yes, I'm serious, and no, the policy stayed so long as there wasn't "acceptable, business driven reason" -- news flash, this will not earn you popularity points and be prepared to defend it.

This comes full circle when any policy is challenged and it SHOULD be challenged.  If there IS a business reason, the policy will need to be changed.  Ultimately it's the business that makes the policy, more specifically, those in power.  Without their buy in, there's no weight.  Without weight, it won't be enforced.

So how do you know when there's a policy problem?  One clear indication is when you hear "it's always been done that way"; the translation is "we don't know why, the process sucks but its what we're use to."  For a slightly humorous look on how this happens, check out the Five Monkeys experiment (not sure if it was ever conducted, but either way, it tells the story well).  That should be a green light to start ripping into it and finding out WHY it's done that way.

So what's your company policy on access?  On disasters?  On hiring?  On firing?  On lay offs?  On sensitive documents? On system usage? ...you do have one right?  Does it still apply and make sense?