The discussion we've been having on the term "policy" has been generating quite a bit of traffic for my inbox. I'm going to share a fair amount of that with you while trying to avoid the activity colloquially known as "kicking a dead horse." While we all probably use the phrase "kicking a dead horse" to mean arguing a point long after either everyone has conceded the point, or simply lost interest, its original meaning was a bit different. A rider "kicks" a horse to urge it to go faster. Obviously, a dead horse can't go any faster. So kicking a dead horse is a futile attempt to do something. Thus, in debate, kicking a dead horse should mean arguing a point when there's no hope the other side will be convinced to accede to your point of view. At some point in a discussion, you may be inclined to state that the two parties should simply "agree to disagree." After that point, anyone still arguing is "kicking a dead horse." So if the discussion of "policy" goes on for far too long (as this aside has!), then let me know that I can "stop kicking." Jeff Davis, a director of product architecture at Safestone Technologies (https:\/\/www.safestone.com\/) mentioned that before being directly involved in the world of identity management, he was "... always amazed about how vendors use the words Policy and Rules interchangeably."He explains: "The Policies I was involved with in my former life at a bank were very high-level and were supported by more stringent rule sets.\u00a0 It was the rule sets that could be 'codified' or 'enforced' electronically.\u00a0 Other policies could not be supported by rules but supported by practice and the practice was subject to providing an audit trail to ensure compliance."Policies, points out Davis, should be paper-based (like the original example of a "dress policy" see https:\/\/www.nwfusion.com\/newsletters\/dir\/2004\/0830id2.html. Rules are then codified to support the policy.Davis gives as an example a corporate policy (i.e., one written in a policy manual) that might state "You must change your password at regular intervals." Rules of the form "You must change your password every XX days" could then be instituted electronically where the number of days ("XX") would differ for different groups and roles.One of Davis' points is that policies should be harder to change than rules and that rules are used to support policies. He concludes: "I would prefer the vendors use the term Rule Based IAM [Identity and Access Management] rather than policy based as an IAM solution is quite specific in its approach and a tool to support\/enforce policy.\u00a0 As for acronyms - maybe BRML and XBRML." (As a security guru, Davis uses IAM where many of us would use Identity Management.)\u00a0I certainly can't disagree with the broad outlines Davis presents. If you can, or if you can bolster his argument, drop me a line and let me know.