When last we met (in a virtual sense, that is), I had asked your help in defining \u201cpolicy\u201d so that it no longer was the ambiguous term - used by those of us in the identity management arena, those in the security camp and those with an application or service to sell who want to latch onto the latest buzzword - with so many meanings that it really had no meaning. I knew I could count on you to come through, and you did.One suggestion which came up repeatedly resolves itself to: don\u2019t change anything. The argument is that there are so many different people with an ax to grind that consensus is impossible. If we in identity management try to seek a consensus definition we won\u2019t succeed because no one else will accept our consensus. Thus we lose precision with no gain in understanding.What we risk, of course, is that others will misunderstand what we mean, to our detriment. To avoid that we would need to define the term almost every time we use it, especially to those outside the identity management discipline - those who more and more are making the identity management decisions.While the premise, getting everyone to agree on a definition, is most likely true I\u2019m not sure the conclusion, that we stick to our own definition, is the best answer.Some others pointed me towards the IETF\u2019s RFC 3198, \u201cTerminology for Policy-Based Management\u201d:https:\/\/www.faqs.org\/rfcs\/rfc3198.htmlThis RFC was co-authored by John Strassner, formerly of Cisco, who almost single-handedly created what became known as Directory-Enabled Networking (DEN). For this feat I awarded him the Wired Windows Networking MVP award for 1998. Strassner\u2019s book, \u201cDirectory Enabled Networks,\u201d is now, sadly, out of print but might still be found in a good used technical bookstore. More than a chapter was devoted to DEN\u2019s policy model. This all led to the need for a vocabulary, a terminology, a taxonomy for discussing policy. The RFC was the natural outcome of this need. One of the terms the RFC defines is, of course, \u201cpolicy.\u201d This is what it says:\u201c\u2018Policy\u2019 can be defined from two perspectives:-\u00a0 A definite goal, course or method of action to guide and determine present and future decisions. \u2018Policies\u2019 are implemented or executed within a particular context (such as policies defined within a business unit).-\u00a0 Policies as a set of rules to administer, manage, and control access to network resources [RFC3060].Note that these two views are not contradictory since individual rules may be defined in support of business goals.\u201dThe reference to \u201cRFC3060\u201d is to a document (also co-authored by Strassner) describing an object-oriented information model for representing policy information. John spent a long time at Cisco, and we can see that his thinking in terms of \u201cpolicy\u201d was heavily influenced by the security usage of that word he encountered at the network hardware company. Still, the second definition, \u201cPolicies as a set of rules,\u201d ties in neatly with another very good response I received and which we\u2019ll get to in the next issue.