An identity policy suite is a collection of high-level policies that deal with identity. Figure 18-1 listed many of the common ones: authentication and authorization, naming and directories, encryption, software development, software licensing, networking, privacy, and federation. The number and type of policies depends on an organization's size and purpose.

The goal in creating policies at this level is to establish the boundaries within which other policies and procedures will work. The policy suite should provide a foundation on which other policies can be based. Therefore, it is important that wherever necessary, policies in the suite grant some role in the company specific authority to regulate the area further. The policy may also assign responsibilities to the role. In many cases, the policy may create the role.

For this strategy to be effective, policies in the identity policy suite will not typically be excessively detailed. At one end of the extreme, the policy will say nothing except to appoint a governing authority and leave all decisions to that authority. At the other extreme, the policy is sufficiently detailed that there's nothing left for the governing authority to do. Strike a balance and err on the side of saying less rather than more. The policies in the suite should state what is non-negotiable and leave as much room as possible for the governing authority to meet the demands of the organization and users within those guidelines.

The ...