Interesting Article  from the Computer Security Institute on creating security policies that really work.