I was out at a customer site last week and needed to have access to their internal corporate network to do some work for the week.
Their process for providing access to outside consultants was actualy quite mature - basically, I needed to send an email to an internal address asking permission for access. A series of emails were returned to me, containing user account information along with a very complex 18 character password.
The only problem with this process was that the security policy for my domain wouldn't allow me to change my password to one that was easier to enter! This meant that anytime my machine timed out due to inactivity, I needed to re-enter the 18 character password again! To make things worse, I needed to log onto 3 different machines in the domain to get my workdone - each of which would timeout at regular intervals. So, as a result, there were times during the day that that I needed to re-enter the 18 character complex password 40-50 times in order to get my work done!
I went to the manager who had hired me for the engagement, but he just shook his head and told me that they had been complaining about this policy for months - but their "Security Nazis" wouldn't let outside consultants change their temporary passwords - even through the accounts were only good for 24 hours anyway.
Needless to say, in order to get my work done, I needed to write down my password on a piece of paper and leave it on my desk all day so I could keep re-entering it (I find it hard to memorize H%10v35x!54hb800gb). And naturally, there were times during the week when I went to lunch or the bathroom and accidentally left that piece of paper next to my computer.
So what is the message here? Well, there are two that come to mind:
1. If you set security policy for a company, and you make security difficult for your users - people will not want to work with you. Intead of thinking of the security team as partners, people will think of you as the enemy and avoid you at all costs.
2. If you make security an impediment for people to get their job done, they will (eventually) find a way around your security - creating an even bigger security problem.
This second point should be on a stone tablet somewhere, as I've seen so many instances of it over the years. In my circumstance as a consultant, I wrote down the password on a piece of paper and left it on my desk as I needed to refer to it every 15 minutes. In other instances, I've known of people setting up 'back doors' to "get around" security, or using the good 'ole boy network to get access to resources.
In either case, I'm sure there were some good reasons for setting up the security policy the way they did. Their flaw was in their failure to properly collect and respond to feedback from their users on any suggestions for improvement in policies handed down from above.
So in the end, when setting up security policies for an organization, it is essential to collect feedback from your users, and even modify security policies if necessary, to accomodate the needs of the business. The central security team of any organization needs to be thought of as partners in a business, not the enemy.