An organization may adopt different measures as part of its security program to ensure that its tangible and intangible properties are protected. For example, a company may use a firewall for network protection, security guards for protection of physical locations, and access cards to control access to sensitive areas. To control and standardize many aspects of an organization's security, a security policy is generally promulgated within the organization with the expectation that the policy will be properly implemented by those within the organization.
As the organization expands and branches out to diverse and sometimes unrelated fields, the organization's security policy may become increasingly difficult to implement. Further, because of the diverse and often competing needs of different parties in an organization, it may be difficult to formulate a security policy that allows all parties within the organization to engage in their respective activities without unduly hindering some of the group from their activities or exposing some of the groups to an unacceptable level of security risk.