« Phishing | Main | Social Engineering Self-training »

Policy and Practice - a Talmudic distinction

It's hip, of course, to be able to use Talmudic in a description of regulatory environment - but this is actually going to use the Talmud as a source. Policy is what we write down; practice is what we do. The relationship between them is nicely covered in the first tractate of the Talmud.

Mishna. From what time can the Shma be recited in the evening? From the hour when the priests go in to eat their tithes until the end of the first watch - the words of Rabbi Eliezer. And the Sages say: Until midnight. Rabban Gamliel says: Until the break of day (Brokhos 2a).
There is a bunch of esoteric coverage about the start point - but what about the end point? Why are both midnight and daybreak listed?
Mishna. Whenever the Sages say "until midnight," the obligation extends until the break of day.... Then why did the Sages say "until midnight"? In order to keep people from transgressing (Brokhos 2a).
And that is the difference between policy and practice. A well written policy should never be broken - and one way to ensure that is to have practice be more stringent than the policy.

Note that I except from this rule CYA policies, of the sort lawyers tend to write to protect organizations from liability.

(Thanks to Born to Kvetch by Michael Wex for the inspiration).