"Yes, too much information can be gained from the data users post." Joey Hernandez, senior consultant at Delta-Risk LLC, reserve consultant at Jacobs Technology and communications officer for Information Operations at Texas Air National Guard, San Antonio, Texas
"Yes, policies need to be created that lays ground rules for employee use while at work and when representing the company outside of work." Phil Agcaoili, Information Security, Risk, Privacy, & Compliance Executive, CISM, CISSP, Austin, Texas
"Yes, it has been my experience that most & were written years ago and are not current with technology. Unless an institution has an aggressive program of policy review, they rapidly fall out of relevance to the current environment." Robert Myles, director, information security, CISO at Texas Health Resources, Dallas.
"Policies ultimately represent the corporate culture and will either be loose, tight or as most companies are somewhere in between. The underlying theme I have seen with most policies is 'The network is company owned, monitored and to be used for business purposes.' Therefore it is pretty broad and allows individual employees to define whether new toys or tools should be classified as a business purpose or not. My take on this is that organizations should not be changing their policies as policies should be able to with stand new faddish toys/tools that enter the market place. Yet I do believe organizations should change their enforcement procedures to meet to current impacts to the organizations. For example blocking social sites is not a bad thing if productivity loses is great enough to impact the output of the organization. This very well could be a culture change where Internet usage was loosely allowed, but due to a high demand on the network and loss of productivity from social sites they need to be blocked. The counter to this is that it could be a productivity increase if someone updates one the social sites stating they are working vigorously on a very important project that will show enormous returns for the company. This may result in fewer walkups, phones calls and distracting text messages as people will recognize the individual is hard at work. My conclusion is that if the culture already exists and the policies reflect the culture then there should be no need for change in policy and only change in enforcement actions. Yet if the culture and the policies have a degree of disparity then I would say there is a need for a change." Michael Leigh, owner, BrokenArrow Security, Austin, Texas