Computer security experts devote their time and energy to the protection of sensitive data and the prevention of an outside attack on the internal network.  They specialize in building secure firewalls as well as complex intrusion detection systems designed to keep intruders out.  They watch and monitor the incoming message traffic very closely.  But no matter how well they protect the private network from outside access without proper authority, they do not help prevent an attack by a malicious or disgruntled employee from the inside. And they cannot prevent breaches due to a simple lack of understanding of security policy by internal employees.

When do YOU think an organization needs information systems security policies? Why?