
212 Handbook of SCADA/Control Systems Security
Policy is mandatory for the most part, since it is key to governance. Degrees of
requirement for compliance are typically set out in policy in the use of the words
“must, shall, will, should, may,” and the like. The implications of these words are
important; it is a challenge to expect deterministic performance or results if there
is little compulsion in the policy. While for the most part all governance relies on
inuencing others for compliance, the wording nonetheless should be as unam-
biguous as possible at the outset. Because it is intended to be mandatory, policy
should be free of any inuence ...