8

Preparing Policies and Procedures to Avoid Internal Risk

In the previous chapter, we’ve been through the main principles for deciding what to use and how to use it in terms of controls and risk management related to our entity. As already explained, if we buy off-the-shelf software, there is no need to implement controls related to software (just remember to keep them beside our Statement of Applicability) and so on. However, once we decide to use some controls, we will need to prepare (or update) our policy and procedures accordingly.

In this chapter, we will go through all this, with a hands-on flavor: in fact, my aim is to also give you a good amount of practical tips on how to write down policies (and procedures).

We’ll have a (one-way, of course) conversation related to the following topics:

• Company policies
• Policy writing instructions
• Company procedures

Company policies

The purpose of company policy is to create define standards of behavior within a business, detailing the duties of both workers and employers. The administration of corporate policy and procedures seeks to safeguard both the legal rights of employees and the economic interests of employers. Depending on the demands of the company, diverse policies and procedures define regulations for employee behavior, attendance, dress codes, privacy, and other aspects of the terms and conditions of employment.

How do you determine the appropriate policies for your business?

In the following scenarios, a company should develop and apply policies:

• Company-wide guidelines on the proper way to conduct oneself (dress codes, email, internet policies, or smartphone use)
• Guidance for dealing with typical situations (standards of conduct, travel expenditures, or purchase of company merchandise)
• Legal aspects of the organization (charges of harassment or discriminatory hiring and promotion practices)
• Adherence to government regulations and agencies (the Family and Medical Leave Act, the Disabilities Act, the Equal Employment Opportunity Commission, or minimum wage regulation)
• Establishing uniform work rules, regulations, and standards (progressive discipline, safety rules, and guidelines on breaks and smoke breaks)
• Offering workers equitable treatment (eligibility for benefits, paid time off, tuition assistance, bereavement, or jury duty exemption)
• There may be other reasons to adopt a policy, but don’t allow one employee’s terrible conduct to be the impetus for implementing a regulation that will affect others

To maintain compliance and a healthy corporate culture, employees require consistent company policies to guide them in their tasks and responsibilities, as well as the organization’s underlying business values, ethics, and beliefs. Additionally, written rules and procedures shield your business from any legal action.

Creating written rules may seem like a daunting undertaking, particularly if you are also managing other responsibilities, but here are a few policies to get you started:

• Personnel policies – Clearly specify business hours, codes of behavior, employment conditions (in terms of hiring and termination), earnings or salary (and bonuses, if applicable), insurance and health benefits, paid versus unpaid vacation days, sick leave, and retirement.
• Disciplinary action policies – Address concerns of honesty, performance, safety, and misbehavior, as well as identifying what constitutes a breach of corporate policy and how workers will be penalized if they break particular regulations.
• Security policies – Create rules describing what safe conduct at work looks like, how to utilize safety equipment, how to report safety risks, and so on using industry best practices and applicable local, state, and federal regulations as guidelines.
• Technology policies – Establish standards for acceptable and unacceptable internet, email, and social media use for personal reasons in the workplace.
• Privacy policies – Protect your staff, your organization, and your customers by implementing a policy that promotes openness and trust with your customers.
• Payment policies – Determine the conditions for consumers and suppliers to do business with your organization. Set an appropriate payment period and define penalties for late or non-payment.
• Policies on confidentiality – Protect sensitive information and make sure to include vendor, customer, and other supplier ties.
• Whistleblower policy – Ensure you have a policy against retribution to safeguard your workers and your business.
• Policies on employee performance – Define the job of each employee, including their degree of responsibility, decision-making power, broad objectives, and particular duties. Identify explicit mechanisms for performance monitoring and personnel development via training.
• Document and record retention rules – Develop organized policies for document retention and storage in accordance with local, state, and federal regulations. Please be extremely careful with this one, as it may involve the GDPR retention policy as well.

Policy writing instructions

When establishing a new policy or updating an existing one, you should adhere to the following writing tips:

• Keep things simple – Policies need to be expressed in straightforward terms, not legalese. The policy should be simple for all employees (from the CEO to the cleaning personnel) to comprehend.
• Keep it generic – Policies cannot foresee all conceivable circumstances. Policies should be drafted with enough specificity to be applicable in a variety of situations. Thorough assistance can be offered in the form of frequently asked questions or detailed process rules or standards.
• Make it relevant – The policy should explain to the audience why it exists, who it impacts, the most important rules and constraints in it, when and under what conditions it applies, and how it should be implemented. Terms of … should be explained explicitly for the reader under Definitions.
• Verify correctness and conformity – Ensure that the proposed policy conforms with all outstanding policies already in place (if any) to guarantee conformity. At the same time, verify that these policies won’t go against any current national, federal, or state laws, regulatory requirements, or industry standards.
• Ensure that the policy can be implemented – A policy should not be developed if it is not intended to be enforced or if it makes commitments without securing enough resources.
• Clearly specify who is responsible for what – Define the roles and responsibilities of departments and people with precision. Ensure that the policy specifies who is permitted to make particular choices and who is accountable for carrying out certain responsibilities.
• Less is more – A policy does not need to be long. In many cases, shorter is preferable. The purpose of the policy is to communicate vital information simply and clearly. Longer policies may be harder to comprehend, implement, and interpret.

So far, we’ve defined policy as a collection of rules or instructions for an organization and its personnel to follow in order to accomplish a certain objective (i.e., compliance) and they have to respond to what workers must or must not do, as well as provide directives, boundaries, principles, and decision-making guidelines. Policies respond to inquiries such as “what?” and “why?”

What about procedures, then?

Procedures are the antithesis of policies; they specify how a policy should be implemented. A policy outlines a rule, whereas procedures specify who is expected to follow the rule and how. Procedures address queries such as “how?,” “when?,” and “where?”

Without examining their objective, far too many businesses perceive rules and procedures as a necessary evil. It’s not about best practices or becoming a soulless corporation; the objective of policies and procedures is to describe what management wants to occur and how it should occur.

I’ve come to feel that the key different between a small and medium-sized organization is whether or not management has taken the time to design, execute, and maintain policies and procedures.

Companies with mature policies, processes, and systems are simpler to audit, have a better grasp of their security posture and risk, and seem to operate much more sustainably than those that have paid little attention to governance.

The importance of policies and procedures versus their pain

Once management knows the definitions of policies and procedures, they cease asking, “What are policies and processes?” and “What is a policy’s purpose?,” and ask, “Why am I required to develop policies and procedures?” Small firm management often has the same set of obstacles to documenting policies and procedures, all of which relate to the complexity, corporate culture, and time constraints involved. However, let’s not forget: the benefits of policies and procedures exceed their disadvantages. The aim of policies and procedures extends much beyond the simple documentation of regulations. Typically, my description of these advantages sounds like this.

It is difficult to draft policies and procedures, but it’s not that difficult. If the majority of organizations lacked developed rules and processes, they would not be in business. It’s obviously simpler to specify security from the outset, but that doesn’t imply it’s impossible to begin with what you’re doing today and then tweak it later.

Occasionally, the main argument is not how difficult it is to document rules and processes, but rather how terrified most people are of documenting how they’re doing things incorrectly. Begin with where you are and then be realistic about where you want to go. In certain instances, you may not meet the best practice level, but if you allow that shame to prevent you from documenting your rules, you are missing the point. Knowing precisely what you are doing in the now allows you to determine what you should be doing tomorrow. It’s how you can create a genuine budget, detect real business risks, and react effectively when anything goes wrong.

If your practice isn’t right, but you’re honest about it, it’s far less of an issue than if you have nothing documented.

One of the best examples on how to write a privacy policy, for instance, comes from Twitter. As one of the biggest and most popular social networking platforms in the world, Twitter’s privacy policy is an excellent example of a comprehensive but easily accessible policy. Utilizing color coding, hyperlinks, and highlighting, it is well-organized and straightforward to explore. However, the length of this privacy policy is a significant drawback. Observe the scroll bar: this makes it more difficult for the user to quickly comprehend how Twitter collects, uses, and protects user data (you can check here: https://twitter.com/en/privacy).

Policies and procedures will not change your company, but they’ll probably change your perspective! Writing everything down, implementing formal procedures, and establishing expectations will require you to surrender some flexibility. These new features may need adjustments to the corporate structure, business culture, revenue funnel, or informal but excellent procedures to satisfy the criteria you have outlined. Depending on your current organizational structure, you may realize that you require extra personnel to undertake new duties, or that some procedures may move more slowly.

For instance, with the implementation of new rules and processes, your network engineer must now get management approval before making a firewall adjustment. Your team may not be able to simply pick up the phone and request access to an extra network segment. Isn’t it going to add some time and maybe some irritation to the process? Alternatively, how much would you lose if you lost the person who knew precisely why your firewall was configured the way it was? Without documenting these procedures, you create enormous vulnerabilities. People, training, standards, and apps – how much is that small bit of overhead worth if it guarantees that you have a firm grasp on what’s happening inside your organization, networks, and enterprise?

However, you may reduce the magnitude of the transition by incorporating your company’s culture into its rules and processes. Nowhere does it state that rules and procedures must be excruciatingly formal, tedious to read, and packed with legalese. What are the factors that attract potential employees? Adapt your rules and processes to your company’s culture, operations, and interpersonal dynamics. This will reduce the difficulty of applying them and assist protect your organization’s identity.

Do you remember the White Rabbit in Alice in Wonderland – that bizarre rabbit wearing a huge clock stating that “There’s no time?” Well, that’s the case. I’ve never heard so many times “There is no time” as an excuse for not writing policies and procedures. In a world of lean personnel, quick turnover, and a focus on accomplishing more with less, it may be incredibly difficult to find time for governance. Therefore, it does not matter. I can offer you management book after management book, essay after essay, and white paper after white paper on how following set rules and procedures will benefit your organization at every level.

If you can commit to implementing and enforcing your rules, you will be astounded by the short-term win of how much easier audits become and even more astounded by the long-term benefits you will get. Your operations will be less stressful, your employees will have more direction, and, if done correctly, you will finally understand precisely what you are managing and why.

The benefits of policies and processes exceed their disadvantages. The rewards of committing to the process are substantial.

How to physically write a policy?

Use a template: establishing a consistent policy template ensures that each policy paper is ordered and comprehensible. It establishes the baseline for how all future regulations will be written and arranged so that they are simple to read and navigate.

Even if you produce a number of additional regulations in the years to come, the format will be simple to duplicate since you have established this standard today. This will also facilitate the writing process and save a substantial amount of time.

Tip

If your entity has not established any policy yet, a good idea could be to create a policy on how to draft a policy.

Here are some suggestions for things to put in your draft policy:

• Information regarding the policy, such as the policy’s title, the dates for when it becomes effective and is revised, the approver’s signature, and the department(s) it applies to
• Introduction or statement of purpose: what is it about? Why is it necessary?
• What is the organization’s stance on the subject?

It’s vital to clarify terminology as you go, particularly words and phrases with various meanings and industry- or job-specific terms. This makes rules simple to comprehend and might save you from having to argue over terminology in the event of litigation.

Define employee conduct guidelines and limits. What are the repercussions for violating a rule?

How are incidents and violations to be reported? What is the method for reporting?

Basically, think before writing. Once a policy is approved, it can take time to retire it, get approval from the management again, and so on.

Selecting a method for managing the process

You could create all the regulations in your preferred word processor, but then you’d have to distribute the document so that everyone may annotate their own copy, resulting in many copies of the same page.

Alternatively, you can upload it to a cloud-based word processor, therefore reducing the number of versions you need to manage. Everyone is able to edit the same document and all changes will be saved. However, you still want a solution that provides version control and can match your rules to your accreditation and licensing requirements.

Establishing a policy management group

Depending on the size of your firm, you may need assistance in writing your policies and procedures. It also facilitates more buy-in from stakeholders within the firm. Plus, it assures you don’t overlook vital facts.

Since your rules will affect everyone in the firm, you should enlist the assistance of individuals from diverse departments. Consult the subject matter experts on the operation of a certain department or function. Include those who understand and can assist you in adhering to any applicable local, state, and federal laws affecting the operation of the group.

Tip

Let’s suppose you write an HR policy, including all the steps related to hiring, termination, and so on, and maybe some national, regional, or other laws apply. Therefore, it’s imperative to collaborate with your HR team to elaborate on a better and more definitive policy.

Now that you have management support, an organized team, a framework, and a technological solution, you are prepared to begin writing. Here is how it should function.

Prioritizing a policy list

You cannot write every policy at once and some policies are more significant than others; thus, make a list of policies that must be completed first. Prioritize your new regulations and amendments based on their relative significance and establish a schedule and sequence for their completion.

Consult with your policy team (if there is one) to determine what needs to be addressed. Defining these priorities with your ultimate objective in mind can help you remain on track.

Conduct exhaustive research. Examine your present processes to determine how things are currently carried out. Additionally, you will need to evaluate any compliance concerns that may have caused your policy review.

There are many approaches to analyzing and studying existing processes:

• Interviewing people responsible for day-to-day activities
• Observing colleagues to determine existing practices
• Interviewing internal and external specialists
• Finding the most recent legislation, rules, and accreditation standards
• Identifying overlapping rules to ensure uniform terminology and standards

Creating a preliminary draft

Writing policies and procedures is an ongoing process. The first draft will need many modifications. It makes sense to get input from stakeholders and colleagues and you should edit your copy depending on their comments.

Having someone other than the policy owner produce the original draft may promote an outsider’s viewpoint, making your processes eventually more transferrable to everyday operations.

This might also assist to clarify the wording and eliminate any unnecessary technical jargon from your work.

Avoid using a large number of industry-specific words, particularly if your company spans many licensing groups, roles, and sectors. The same acronyms and words may have different meanings to various employee groups; thus, you need to prevent misunderstanding.

Additionally, limiting technical jargon can make it simpler for new workers who may be unfamiliar with the business to comprehend your rules and processes.

Verifying the processes

To guarantee the validity of your methods, you must see them in operation; it is generally a good idea to have the workers who conduct the daily job execute the processes.

Remember that this only applies to the Procedures section of your handbook and not to the policies and forbidden activities sections.

Sending a draft out for review

Now that you have a draft, it is time to evaluate it; if a non-specialist authored the first document, you should have a specialist examine it. This is the key to the success of your policy. You will have to walk a tight line between the requirement for thoroughness for your subject matter specialists and the need for clarity and simplicity for your non-experts.

Obtaining final approval and signatures

Typically, a member of the executive team must approve any new policy. Because they are ultimately responsible for the policy, they must formally endorse the final document. This should always be carried out by the highest level of leadership for each policy.

For instance, you do not need the CEO’s approval for new spill cleanup measures, but you must for workplace harassment and the handling of confidential information. Equally, the IT manager should not approve an employee conduct code; that responsibility lies with the CTO or CIO, who is ultimately accountable.

Employee Code of Conduct example draft

The Employee Code of Conduct is one of the most essential components of the employee handbook. We prepared a code of conduct template to help you convey your expectations to your staff straightforwardly and sensitively.

Remember that this template is not a legal document and may not comply with all applicable local and national regulations. Please request that your attorney evaluates the finished policy papers or handbook.

Template for the Employee Code of Conduct

You are accountable for behaving correctly at work as an employee. Here, we outline our expectations. We cannot cover every possible situation of behavior, but we have faith that you will always use sound judgment. Contact your human resources department if you have any concerns or questions.

The dress code

The official dress code of our company is business/business casual/smart casual/casual. This consists of slacks/loafers/blouses/boots. However, a worker’s position may also influence their attire. If you often meet with clients or potential clients, please dress more formally. We want you to arrive at work clean and avoid wearing unprofessional attire (e.g., workout clothes).

As long as you adhere to our aforementioned criteria, we have no special expectations about your attire or accessories.

We also allow and respect how religious views, ethnicity, or disability influence grooming styles, dress styles, and accessories in the workplace.

Internet security and electronic gadgets

This section concerns everything digital in the workplace. To maintain security and safeguard our assets, we wish to establish standards for the use of computers, phones, our internet connection, and social media.

Internet use

Our company internet connection is largely used for business purposes. However, you may occasionally use our internet connection for personal reasons, so long as it does not interfere with your job duties. If requested, we also expect you to temporarily cease personal activities that slow down our internet connection (such as picture uploading).

You are prohibited from the following:

• Using our internet connection to download or upload vulgar, offensive, or illegal content
• Transmitting sensitive information to unauthorized parties
• Invading the privacy of another individual and obtaining access to sensitive information
• Downloading or uploading pirated movies, music, material, or software
• Visiting potentially harmful websites that may damage the security of our network and PCs
• Carrying out unauthorized or unlawful acts, such as hacking, fraud, or the purchase or sale of illicit items

Cell phones

We permit mobile phone usage at work. However, we also want to guarantee that your gadgets will not distract you from your job or disturb the office environment. Please adhere to the following very basic rules:

• Use your mobile phone for work-related purposes (business calls, productivity apps, calendars)
• Use an empty conference room or common area for personal calls so as not to disturb your coworkers
• Avoid playing mobile games and texting excessively
• Never use your cell phone while operating a work car
• Do not record personal information on your phone
• Do not download or post improper, unlawful, or obscene content while using our business internet connection
• Additionally, you may not use your phone in locations where it is expressly forbidden (e.g., laboratories)

Corporate email

Email is crucial for our business. You should use your workplace email mainly for business purposes, although we permit occasional personal usage. Guidance on how to use business email at work:

• Use for work-related purposes. There are no restrictions on using a corporate email for work-related activities. For instance, you may subscribe to publications and online services that will benefit your career or professional development.
• Personal usage. You may use your email for personal purposes so long as you maintain its security and avoid sending spam and releasing sensitive information. You may, for instance, send emails to relatives and friends and download e-books, manuals, and other information for personal use.

Our general expectations

Regarding how you use your business email, we want you to avoid the following:

• Registering for unlawful, untrustworthy, disreputable, or questionable websites and services.
• Sending unsolicited commercial emails or material.
• Registering for a competitor’s services without permission.
• Sending offensive or discriminatory communications and information.
• Sending unsolicited emails, even to colleagues.
• In general, use robust passwords and be alert when detecting malicious or phishing emails. Ask our security specialists if you are unsure whether an email you received is secure or not.

Social media

We want to give some recommendations in order to avoid irresponsible usage of social media in the workplace. We will discuss both the usage of personal social media at work and the use of social media to represent our organization.

Personal use of social media at work

General guidance on how to use social media at work:

• You are authorized to access your personal accounts at work. However, we want you to behave responsibly and productively in accordance with our rules. Specifically, we request that you exercise self-discipline and avoid being distracted by social media networks.
• Ensure that people are aware that your personal account or claims do not represent our organization. Use a disclaimer such as “These are my personal thoughts.”
• Refrain from divulging intellectual property (such as trademarks) or sensitive information. Before sharing unannounced corporate news, consult your boss or the public relations department.
• Avoid any information that is libelous, insulting, or disparaging. You may be in violation of our company’s anti-harassment policy if you send this kind of material to coworkers, clients, or business partners.

Representing our business through social media

Guidance when managing social media through a company:

• If you manage our social media accounts or represent our firm in public, we expect you to safeguard its image and reputation. Specifically, you must exhibit respect, courtesy, and patience.
• If possible, avoid discussing topics beyond your area of expertise.
• Comply with our standards on confidentiality and data protection, as well as the laws regulating copyrights, trademarks, plagiarism, and fair use.
• Coordinate with our PR or marketing department before sharing any material that could have a significant effect.
• Avoid removing or disregarding comments without justification.
• Correct or delete any misleading or inaccurate material as fast as feasible.

Competing interests

When you are suffering a conflict of interest, your own aims and duties to us are no longer aligned. For instance, holding shares with one of our rivals is a conflict of interest.

In other instances, you may encounter an ethical dilemma. Accepting a bribe, for instance, may be financially advantageous, but it is unlawful and against our company code of ethics. If we become aware of such conduct, you will be fired and may face legal consequences.

Conflicts of interest are therefore a big concern for all of us. We anticipate that you will be cautious in identifying situations that constitute conflicts of interest for yourself or your direct subordinates. Follow our rules and always behave in the best interests of our firm. Whenever possible, avoid allowing personal or financial concerns to interfere with your work. Discuss any ethical problem with your manager or HR and we will do our best to assist you in resolving it.

Employee interactions

We aim to guarantee that all staff interactions are suitable and amicable. Please adhere to our principles and conduct yourself professionally at all times.

Fraternization

The term fraternization refers to dating or befriending coworkers. In this policy, dating refers to romantic relationships and consensual sexual encounters. Relationships that are not consensual constitute sexual violence and we expressly ban forbid them.

Dating coworkers

If you begin a romantic relationship with a coworker, we want you to retain your professionalism and keep personal conversations outside of the office.

You must also respect your coworkers who date one another. We will not accept sexual jokes, nasty rumors, or inappropriate remarks. Please notify Human Resources if you come across this kind of conduct.

Dating managers

To prevent charges of favoritism, misuse of power, and sexual harassment, supervisors are prohibited from dating their direct subordinates. This limitation applies to all employees reporting to managers.

Additionally, if you are the recruiting manager for your team, you cannot employ your spouse. You may recommend them to other teams or departments where you do not have management or recruiting power.

Employees who work together may develop friendships either inside or outside the workplace. This connection between peers is encouraged since it may facilitate communication and collaboration. However, we expect you to prioritize your job and leave personal issues outside of the office.

Employment of relatives

Everyone in our organization ought to be employed, acknowledged, or promoted on the basis of their abilities, character, and work ethic. We do not want to witness nepotism, favoritism, or conflicts of interest and thus, we impose employment limitations on relatives of workers.

To our organization, a relative is somebody connected by blood or marriage to an employee within the third degree. This comprises the following: parents, grandparents, in-laws, spouses or domestic partners, children, grandchildren, siblings, uncles, aunts, nieces, nephews, step-parents, step-children, and adoptive children.

As an employee, you may suggest family members to our organization. Here are our only limitations:

• You may not have a supervisory or subordinate relationship with a relative
• You are ineligible for transfer, promotion, or employment if you report to a relative
• You cannot serve on a hiring committee if a relative of yours is being interviewed for that post
• If you become connected to a manager or direct report after joining our organization, we may be required to transfer one of you

Company visitors

Please get authorization from our HR manager/security officer/workplace manager before inviting a guest to our office. Additionally, please notify our reception/gate/ front office of your guest’s arrival. Visitors are required to sign in and provide identification. They will be given passes and requested to return them to reception/the gate/the front office at the end of their visit:

• You have obligations when you have office guests. You must always attend to your guests (especially when they are underage).
• Keep your guests out of places containing hazardous machinery, chemicals, private documents, or sensitive equipment.
• Prevent your guests from attempting to convert your coworkers, soliciting gifts, or seeking participation in events while on our property.
• Whoever brings orders, mail, or deliveries to our personnel must wait at the building’s reception or gate. If you are awaiting a delivery, front office staff/security guards will tell you so that you may collect it.

Distribution and solicitation

Solicitation is demanding any type of money, support, or involvement for unrelated items, individuals, organizations, or causes (e.g., religious proselytism or asking for petition signatures). Distribution refers to the act of spreading materials for commercial or political goals.

Non-employee solicitation and distribution are prohibited in our workplace. You may solicit from your colleagues as an employee only when you ask colleagues to assist arrange events for another employee (such as the adoption or birth of a child, promotion, or retirement).

You may solicit support for a cause, charity, or fundraising event that is sponsored, supported, coordinated, or approved by our organization.

You may invite coworkers to employee events for permissible non-business purposes (e.g., recreation or volunteering).

You may invite coworkers to join legally protected employment-related activities or organizations (e.g., trade unions).

In all circumstances, we urge that you refrain from disturbing or distracting coworkers from their work.

Cloud hosting policy

This policy is very specific and it has been planned to be available worldwide.

Tip

This is a policy sample.

1. INTRODUCTION:

Information security exists to further the mission of ACME. ACME comprises diverse populations with evolving needs related to information technology resources and data. ACME management is committed to safeguarding those resources while protecting and promoting business and behavioral freedom. Although intrinsic tension exists between the free exchange of ideas and information security and this can manifest itself in some circumstances, the following framework has been identified to promote the best balance possible between information security and academic freedom.

This policy describes the requirements for the appropriate and approved use of externally hosted ACME platforms and services.

2. PURPOSE:

To ensure adequate protection of protected data stored on ACME-owned, leased, or personally owned hardware and software; this policy establishes the requirements for the implementation, transfer, removal, and disposal of all hardware housing this kind of information.

3. SCOPE:

This policy also applies to all users who have access to ACME resources, including all employees, contractors, guests, consultants, temporary employees, and other users. Determining the level of sensitivity applicable to a given form of data is the first step in establishing the safeguards that are necessary for that type of data.

4. DEFINITIONS:

Cloud hosting of systems and/or data can be categorized as the following models:

• Software as a Service (SaaS) is a software distribution paradigm in which consumers can access applications via a network, usually the internet, that is hosted by a vendor or service provider.
• Renting hardware, operating systems, storage, and network bandwidth online is possible with Platform as a Service (PaaS). Customers can rent virtualized servers and related services using the service delivery model to run their current apps or create and test new ones.

An organization can outsource the hardware, software, servers, and networking components necessary to support operations using the Infrastructure as a Service (IaaS) provider model. The equipment belongs to the service provider, who is also in charge of housing, operating, and maintaining it.

For the purpose of this document, the term cloud computing services is used to encompass SaaS, PaaS, and IaaS.

For cloud-hosted systems (SaaS, PaaS, IaaS, and similar) or data, each system owner must ensure the system protections described in the Information Classification Policy. So, it’s important here to define a protected system and the kind of protection given.

EU-GDPR: The General Data Protection Regulation (GDPR)

ISO/IEC 31010: A standard concerning risk management

ISO/IEC 27001: Specifies a management system that is intended to bring information security under management control and gives specific requirements

HIPAA: The Health Insurance Portability and Accountability Act of 1996

HITECH: The HITECH Act set guidelines on the adoption and meaningful use of interoperable Electronic Health Records (EHRs)

FISMA: The Federal Information Security Management Act of 2002

PCI/DSS: Payment and Credit Card Industry Data Security Standards

FERPA: Gives parents access to their child’s education records

PIPEDA: The Personal Information Protection and Electronic Documents Act (Canada)

Data custodian/data protection officer: The one in charge of a company’s written or electronic records while safeguarding the data in accordance with the company’s security policy or accepted IT practices.

5. POLICY:

If sensitive data and/or confidential data is stored using cloud computing services, the contracts for those services must be approved by ACME Procurement Services, and the applicable Information Security Officer must evaluate the system’s security measures both before and after implementation, depending on the risk level.

In addition to other ACME policies, the following requirements must be followed in the use of cloud computing services:

5.1 – Pre-requisite Requirements

Consult with appropriate data owners, process owners, stakeholders, and subject matter experts during the evaluation process, or with the applicable Information Security Officer for guidance.

5.2 – Contractual requirements

• 5.2.1 – Both ACME and the vendor must declare the type of data that they may transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party. The parties also must clearly define data that must be protected.
• 5.2.2 – The contract must specifically state what data ACME owns. It must also classify the type of data shared in the contract according to ACME’s data classification policy requirements. Departments must exercise caution when sharing sensitive or confidential data (as defined by ACME’s Information Classification Policy) within a cloud computing service.
• 5.2.3 – The contract must specify how the vendor can use ACME’s data. Vendors cannot use ACME’s data in any way that violates the law or this policy.

5.3 – Ensure a Service Level Agreement (SLA) with the vendor exists that requires the following:

• 5.3.1 – Clear definition of services
• 5.3.2 – Agreed-upon service levels
• 5.3.3 – Performance measurements
• 5.3.4 – Problem management
• 5.3.5 – Customer duties
• 5.3.6 – Disaster recovery
• 5.3.7 – Policies on the termination of the agreement
• 5.3.8 – Protection of sensitive information and intellectual property
• 5.3.9 – Definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery

5.4 – Cloud computing services should not be engaged without developing an exit strategy for disengaging from the vendor or service while integrating the service into normal internal business practices and/or business continuity and disaster recovery plans. ACME must determine how data will be recovered from the vendor.

5.5 – A proper risk assessment must be conducted by the applicable Information Security Office prior to any third-party hosting or cloud computing service arrangement.

6. INTELLECTUAL PROPERTY AND COPYRIGHT MATERIALS (APPLICABLE ALSO TO PRIVACY AND DATA SECURITY)

Information that has been classified by ACME as Unclassified Public, Proprietary, Client Confidential Data, or Company Confidential Data may be used only in accordance with the policy related to the classification of information that can be found in the Information Classification Policy.

7 – Personally Identifiable Information (PII) may only be used in compliance with information protected by federal, state, or local laws and regulations or industry standards, such as the GDPR, HIPAA, HITECH, FERPA, PIPEDA, and PCI-DSS.

7. DATA AVAILABILITY AND RECORDS RETENTION:

8.1 – Ensure that all academic, administrative, or research-related data is retained according to the records retention and EU-GDPR requirements.

8.2 – Back up data regularly to ensure that records are available when needed, as many providers assume no responsibility for the data recovery of content (for further information, please consult the ACME Business Continuity and Disaster Recovery Policy).

8. ROLES AND RESPONSIBILITIES:

9.1 – Security and data security will be in charge of the operations, with support from the legal and ERP departments.

9. OTHER APPLICABLE POLICIES:
   • P001: Information Security Policy
   • P002: Permanent change of where equipment is located within the ACME office
   • P003: Sale and disposition of equipment
   • P004: Equipment donations and transfers to other entities (e.g., charities)
   • P005: Equipment deletion from ACME assets
   • P006: ACME Acceptable Use Policy (AUP)

These are just examples: you can customize them according to your needs, find other templates and samples through the internet, and still buy some decent packages at a decent price online. Of course, my suggestion, as usual, is to involve a third-party consultancy to do the job, and then you can update them on your own.

Company procedures

Would you wish to undergo a complex process to get an additional pen or pad of paper? Of course not!

Procedures and their near relatives, policies, may be a genuine pain in the you-know-what. Sometimes, they are excessively stringent and limiting, while other times they are too general and missing specifics. However, if a colleague calls in ill and you are suddenly responsible in case of an emergency, you should substitute that sick colleague just by reading and understanding a procedure. Therefore, it is helpful to have a well-written, clear protocol to follow.

Procedures may have a significant impact on an organization if executed properly. When stated clearly and correctly, they may improve the functionality of systems and individuals. If your employees know what to do, when to do it, how to do it, and how to avoid making mistakes, you may decrease aggravation and save a great deal of time and energy.

Procedures are the company’s workhorses. Procedures detail “how to” complete a job or process, while policies outline how individuals should make choices.

Procedures emphasize action. They describe the actions to be performed and the sequence in which they must be taken. They are often instructive and may be used in training and orientation. Typically, well-written processes are solid, accurate, truthful, brief, and direct.

Writing an accurate, concise, and understandable method is not always simple. However, with a little bit of information and experience, you may develop good procedure-writing abilities and recognize many possibilities to enhance the quality of your work.

Tip

Numerous procedures seem black and white, with distinct phases and a single method: “Complete A, then B, and then C.” Occasionally, though, it is necessary to be less precise and allow for individual discretion. When a method is too restrictive, it might lead to misunderstanding. Since life is not always straightforward and uncomplicated, some methods must allow for subjectivity and individual choice.

When is a procedure necessary?

If you design processes for fundamental jobs, they will be disregarded since they are unnecessary. The first guideline of creating procedures is to ensure that they serve a purpose: perhaps individuals forget to complete particular activities, perhaps they continue to make mistakes, or perhaps jobs are so lengthy and complicated that a checklist is required for success.

A documented procedure is only required if the problem is severe or if there is a substantial advantage to clarifying a method. Before you begin, consider whether people really need or want to know something.

When a process requires a procedure

To a certain extent, a process works on its own. But then, your company needs to write it, to put it clear:

• Is extensive (for example, a year-end inventory)
• Is complicated (for example, benefits administration)
• Is routine, yet everyone must rigorously adhere to the guidelines (for example, a payroll)
• Requires consistency (for example, handling a refund request)
• Involves documentation (for example, disciplining a staff member)
• Involves considerable alteration (for example, installing a new computer system)
• Has severe implications for error (for example, safety guidelines)

In a normal business, many tasks are performed without formal processes. Unwritten norms and informal processes exist. Occasionally, though, these unwritten principles must be codified by a process. Here are some examples of when this may need to occur:

• Similar questions are constantly posed
• People seem perplexed
• There are too many possible interpretations of the technique

How to write a procedure

Not only what readers desire to know but also what they must know should be communicated in procedures. They may need to know how to do the task accurately, more quickly, or with less waste. They may also want to know why they must do a task in a specific way, where they may get assistance, and what happens if anything goes wrong. Whenever required, ensure that your processes address both technical and subjective factors.

It is also essential that your processes have the appropriate amount of information. Here are some questions to consider:

• Do users have sufficient information to act?
• Does it contain sufficient information to assist users in exercising sound professional judgment?
• Is the degree of information suitable for the topic?
• Is the degree of detail suitable for the audience?
• How familiar are readers with the topic?

Step 1: gathering information

Before you begin writing, you should collect extensive information on the technique you are creating.

Talk with subject matter experts as well as those who hold essential knowledge, including long-time employees, stakeholders, technical personnel, and process users.

Take copious notes and then organize the material at your leisure. As the process author, you should have a comprehensive grasp of what is occurring. From there, reduce the information just to what the end user needs to fully comprehend the procedure (a mind map is a fantastic tool for arranging information. This may assist you in ensuring that you have included and linked all the necessary components).

Step 2: beginning to write

When writing the initial draft of your method, you should not be concerned with perfect terminology and structure. The primary objective is to provide the necessary information. After that, you can concentrate on the wording and arrangement.

Here are some helpful guidelines:

• Record activities in the sequence in which they occur
• Begin with the first action and conclude with the last action
• Avoid excessive wordiness
• Just be explicit enough to ensure clear communication
• Use bullets and lists
• If you are too brief, you risk losing clarity
• Explain your assumptions and ensure that they are accurate
• Utilize jargon and slang with caution

Step 3: evaluating design elements

You may discover that words alone are insufficient to describe the technique. Occasionally, additional features might enhance a presentation. Here are a few prevalent formats.

Flowchart

This is a schematic of a process. You may outline and simplify a process by using a sequence of symbols and arrows to show the flow of activity. Make sure that your chart does not include too many strange symbols or too much text. If necessary, divide it into many smaller flowcharts.

Playscript

This seems to be a theatre script with many characters. In this instance, though, you list the staff members with varying duties. Scripts may be particularly beneficial when several people are participating in a process:

The department head must approve the final version.

Question and answer

Match frequent procedural questions with the appropriate responses. This style is beneficial when methods are unclear or there are several variants. It also helps in addressing “what if” concerns.

Example:

Q: What happens if the columns are not balanced?

A. Initially, do not panic. Start with the most basic explanations and move backward. Calculate each column again. Then, search for faults in transcribing. If this does not resolve the issue, examine how you obtained your figures. If you were uncertain about any points, verify those numbers again. Then, methodically review each figure until the problem is discovered.

Matrix

The table links one variable with another. Where variables intersect, the cell displays the corresponding action. Matrix tables are very useful for reference reasons since they minimize the need for repeated searching. You can utilize them for a variety of purposes, including determining what activities to do and when, assisting users in making choices, and determining which forms or reports to use:

Figure 8.1 – Another kind of example, using a matrix approach this time

Summary

So, in this chapter, we had a conversation concerning policies and procedures, with a lot of tips and recommendations. Hopefully, they are (or will be) useful!

Now, you should be able to write a proper policy or procedure by understanding all the requirements around the document. Practice makes perfect, but a good starting point is always helpful.

In the following chapter, we will cover social engineering.