Port scannning is not necessarily a bad thing nor having a policy to insure your network is
secure using port scanning. But when you have an inside user "playing" it can reak havoc.
Port scanning is a useful tool for Admin purposes and I support it. Also, don't forget to test your policy before implementation. I have seen policy implemented before testing and it created a mess.