A well-designed desktop security policy should provide bulletproof security without unnecessarily impeding the users' ability to perform their job. But all security policies are a compromise between the strength of security provided and extent of the end-user inconvenience. Where exactly this balance lies depends on the degree of sensitivity of the data being protected and the perceived vulnerability of that data to unauthorised access. I've identified the five steps you should take when developing your desktop security policy to help you find the correct balance for your organisation. Step one: Obtain buy-in from management
The management buy-in step occurs twice in the development process: at the beginning before any detailed work commences and again when the design is complete. At the beginning of the development process, management should be asked to approve of the concept of desktop security. If management won't enforce and support the policy, don't waste resources on development. If they agree to support the concept, once the design is complete, present them with a report to approve detailing each aspect of the policy, what it offers in terms of added security, and the effects it will have on normal operations. Step two: Evaluate the risk of an unauthorised access attempt
You can make a reasonable estimation of the likelihood of an unauthorised access attempt by considering both the desirability and vulnerability of your organisation's data. In making such an evaluation, your IT department should seek input from the employees in the company who have the clearest understanding how much someone outside of the organisation might want to get that data. This is a crucial step because it will determine the required strength, the cost, and the inconvenience of the security policy to be implemented. Step three: Assess current physical security
A thorough understanding of the degree of security provided by the physical environment in which the computers reside is important for fine-tuning your security policy. The more vulnerable your environment is to external intrusion, the more restrictions need to be implemented in the policy. When making this evaluation, consider the following:

• Are your organisation's PCs located in offices that are locked when not occupied?
• Are your organisation's PCs located in an open, shared workspace?
• Are your organisation's PCs easily accessible to the general public?
• Are your organisation's PCs locked to the desks?
• Do visitors/employees to your company wear ID badges?
• Are visitors accompanied by employees at all times?
• Are burglar alarms used on the windows and doors outside of regular business hours?

The results of this evaluation should be discussed with your organisation's safety department or building management. Instead of attempting to compensate for inadequate physical security with a desktop security policy, it might be more appropriate and cost-effective to improve the physical security of your environment.