In previous chapters we have discussed, in some detail, the process for creating a business model and inventorying processes and identities. If you have performed these activities, you should have a good idea of how the business is using identity information and what priority the business places on various resources.
Identity policies will typically come from one of four places:
Business inspired projects and processes
Feedback on existing policies
In Chapter 9, I discussed the metadirectory project that the State of Utah completed. This project was driven by a clear business need—specifically, the governor and others wanted a better URL for state web sites and shorter email addresses. This project inspired policies about naming conventions and directory interaction. This is just an example of how business projects and processes inform identity policies.
To some, driving policies from business projects and processes may seem somewhat less than pure. But in fact, that's the point. By tying your policies to the places where they are needed, you'll get better policies and avoid creating unused policies. As an example, you may determine that you can justify the creation of part of your identity infrastructure on the basis of the savings from password reset. That's a perfect opportunity to create naming, password, and directory policies. Even then, you might opt to create just the parts ...