Any security policy that deals with Internet access, Internet services, and network access in general, should be flexible. This flexibility must exist for two reasons: the Internet itself is in flux, and the organization's needs may change as the Internet offers new services and methods for doing business. New protocols and services are emerging on the Internet, which offers more benefits to organizations using the Internet, but may also result in new security concerns. Thus, a policy needs to be able to reflect and incorporate these new concerns. The other reason for the flexibility is that the risk of the organization also does not remain static. The change in risk may be a reflection of major changes such as new responsibilities being assigned to the organization, or smaller changes such as a network configuration change.