What is the problem with having departmental policies as opposed to corporate policies? I am on about any information management or information security policy - any IT related policy to be honest, but specifically stuff like information classification, data retention, records management, media sanitization etc etc. Where is the issue in each department having their own responsibilities to have such policy and procedures in place as opposed to corporate policies that mandate what each organisational department will do? I know it should be corporately dictated as opposed to departmentally but I am struggling to find some good justified reasons why – despite searching. Would prefer your comments as opposed to links.