The power of NOT saying "No"
I've always been dismayed when Information Security professionals are considered roadblocks. One tactic I have taken is to rarely if ever say "no" to a business project, idea or technology. My philosophy is that Information Security is a service industry, we provide a service to management to provide our expertise in understanding the consequences of their business decisions to the confidentiality, integrity and/or availability of the information we are tasked to protect. By withholding "no's" and providing alternatives instead to decisions that are detrimental to security, you end up opening the door to a longer term relationship with your internal customers, and will often be seen as a partner who is sought out by your internal customers rather than a roadblock to be navigated around.
An example of the "No" roadblock - (not recommended)
Internal Developer- This application has a cool new authentication scheme built in. The vendor indicated it is proprietary and built internally to the software and they tout that this makes it more secure.
Information Security staff - Sorry, but that is a violation of our security policy that states "Only standards based authentication mechanisms will be used." We can't allow you to move forward until you fix it. (a nicer way of just saying no, but in essence still no)
Using the method above, you just tell the developer no and lose a valuable chance to gain an ally and service the needs of the business.
A better response to same scenario (recommended)
Internal Developer - This application has a cool new authentication scheme built in. The vendor indicated it is proprietary and built internally to the software and they tout that this makes it more secure.
Information Security staff - Our policies indicate that this would be a deviation, but a way that you can still accomplish authentication, while using a central system (reducing your workload and organizational access administration activities) is to use our central LDAP system. This should achieve what you are looking for. If this won't work or limits your ability to meet your target deadlines, we can also direct you to our Information Security Policy Exception Process which allows you to approach senior management with your concerns and see if they will grant you an exception due to business need. Either way, please let us know what we can do to help.
This latter approach accomplishes the same thing as the first, although you give alternatives. Even if your alternative doesn't work, you give the developer another way to solve their problem, which is your exception process (or whatever name you have for your process of appeals.) if you don't have an appeal process, I highly recommend you develop one so that senior management (whoever owns the policies) has a way to approve deviations from their requirements when business situations warrant it.