Network security experts agree that well-run corporations need a written security policy. The policy sets appropriate expectations regarding the use and administration of corporate IT assets. However, the conventional w isdom holds that composing and maintaining these documents bog down in a morass of bureaucratic inefficiency and pointless wrangling, which never ends and produces nothing usefu…