On a similar note regarding my previous post on the Omaha mall incident, apparently the mall has a policy against concealed weapons – and apparently (I haven’t confirmed) there’s a Nebraska state law backing such policies in private businesses in that state. This event not only shows how vulnerable we really are but it’s also a classic case of stupid policies/laws such as this ONLY apply to law-abiding citizens.
In the context of IT security, I actually see and hear of this quite a bit where policies are created for the sake of having a policy, or political correctness, or to satisfy an auditor – whatever – knowing that they’ll do more harm than good or that they’ll never be enforceable. Keep this in mind when creating your own organization’s information security policies. Make them reasonable and enforceable… otherwise they’re just for show and will come back to bite you or someone you care about down the road.