– David J. Lineman, president of Information Shield (www.informationshield.com), says:

Security group policies are the right approach, assuming a Microsoft-based network architecture that supports this approach for all employees. There are times when custom-built or legacy applications cannot be controlled using group policy, so it is a good idea to still have a higher-level set of management policies that work with the technical controls. The idea of limiting access based on the need-to-know is a high-level management policy that is supported be a variety of technologies.

It is critical to document what is actually done in group policies with written security policy documents. This enables the organization to document these security controls to auditors and third-parties with a need to evaluate the security posture of the organization.