Have you ever encountered a situation in which a security policy was not in line with observed or accepted behavior. If so, how do you think the situation came about? Would regular policy reviews have helped the situation? Are there any legal consequences to such inconsistent policy?
no less than 260 words, pls and thank you.