• United States

Mailbag: Use of the words ‘Policy’ and ‘Rules’, Part 1

Sep 13, 20043 mins
Access ControlEnterprise Applications

* One reader is amazed how vendors use the words "Policy" and "Rules" interchangeably

The discussion we’ve been having on the term “policy” has been generating quite a bit of traffic for my inbox. I’m going to share a fair amount of that with you while trying to avoid the activity colloquially known as “kicking a dead horse.”

Jeff Davis, a director of product architecture at Safestone Technologies ( mentioned that before being directly involved in the world of identity management, he was “… always amazed about how vendors use the words Policy and Rules interchangeably.”

He explains: “The Policies I was involved with in my former life at a bank were very high-level and were supported by more stringent rule sets.  It was the rule sets that could be ‘codified’ or ‘enforced’ electronically.  Other policies could not be supported by rules but supported by practice and the practice was subject to providing an audit trail to ensure compliance.”

Policies, points out Davis, should be paper-based (like the original example of a “dress policy” see Rules are then codified to support the policy.

Davis gives as an example a corporate policy (i.e., one written in a policy manual) that might state “You must change your password at regular intervals.” Rules of the form “You must change your password every XX days” could then be instituted electronically where the number of days (“XX”) would differ for different groups and roles.

One of Davis’ points is that policies should be harder to change than rules and that rules are used to support policies. He concludes: “I would prefer the vendors use the term Rule Based IAM [Identity and Access Management] rather than policy based as an IAM solution is quite specific in its approach and a tool to support/enforce policy.  As for acronyms – maybe BRML and XBRML.” (As a security guru, Davis uses IAM where many of us would use Identity Management.) 

I certainly can’t disagree with the broad outlines Davis presents. If you can, or if you can bolster his argument, drop me a line and let me know.