Explain what might happen if managerial guidance SysSP documents have not been written or provided to technical staff.

What will be an ideal response?

Imagine that management fails to convey to the firewall technicians its intent with respect to the firewall's technical configuration. In the absence of such guidance, the technicians will rely on their own experiences and training to select rules they feel are appropriate. The organization will then experience numerous problems if and when business needs conflict with the technicians' perception of the security function of a firewall. If this were an organization with a need for ultra-high security, such as a Department of Defense contractor, and if the technicians developed a set of firewall rules with an intermediate degree of control, the organization might find itself underprotected, having a need for a high degree of control. On the other hand, with the same set of intermediate-level rules, an organization with an open environment, such as an academic institution, might find itself overly restricted, with the flow of information stifled. This wide range of possible needs is why it's necessary to carefully direct the development, implementation, and configuration of all technologies in the organization, especially security technologies