Certain cybersecurity practitioners have no knowledge of the implication when writing policy statement even with help from external subject matter experts.
A typical example is that host with “dual home” connection must not be allowed. There are some rationales that this network setup will incur cybersecurity risks but only on particular scenarios. It is risky if one network interface card (NIC) lands on trusted zone while the other NIC lands on a “dirty” zone. The host is then acting as a network firewall that might not be robust as a dedicated network firewall device capabilities.
But if the host (especially in control systems) needs this setup to be managed by computer management system (e.g. domain controller) in one network while the other network manages the controllers, sensors and the design is certified by the manufacturer, blindly changing this to non-dual home setup will affect the intended operational capabilities.
Lesson learned: don’t write something that causes your business immediately falling into non-compliance state. Always understand your business environment, listen to your business users feedbacks to formulate baseline policies but find ways to enhance incrementally (not overnight, not turn-key). Always accept that there is no 100% cyber secure environment for business. Don’t do something solely base on textbox knowledge without actual field experience and applicability. Focus your effort to formulate protection at strategic level rather than micro management of these minute details.