In the previous chapter, we’ve been through the main principles for deciding what to use and how to use it in terms of controls and risk management related to our entity. As already explained, if we buy off-the-shelf software, there is no need to implement controls related to software (just remember to keep them beside our Statement of Applicability) and so on. However, once we decide to use some controls, we will need to prepare (or update) our policy and procedures accordingly.
In this chapter, we will go through all this, with a hands-on flavor: in fact, my aim is to also give you a good amount of practical tips on how to write down policies (and procedures).
We’ll have a (one-way, of course) conversation related to the following topics:
The purpose of company policy is to create define standards of behavior within a business, detailing the duties of both workers and employers. The administration of corporate policy and procedures seeks to safeguard both the legal rights of employees and the economic interests of employers. Depending on the demands of the company, diverse policies and procedures define regulations for employee behavior, attendance, dress codes, privacy, and other aspects of the terms and conditions of employment.
In the following scenarios, a company should develop and apply policies:
To maintain compliance and a healthy corporate culture, employees require consistent company policies to guide them in their tasks and responsibilities, as well as the organization’s underlying business values, ethics, and beliefs. Additionally, written rules and procedures shield your business from any legal action.
Creating written rules may seem like a daunting undertaking, particularly if you are also managing other responsibilities, but here are a few policies to get you started:
When establishing a new policy or updating an existing one, you should adhere to the following writing tips:
So far, we’ve defined policy as a collection of rules or instructions for an organization and its personnel to follow in order to accomplish a certain objective (i.e., compliance) and they have to respond to what workers must or must not do, as well as provide directives, boundaries, principles, and decision-making guidelines. Policies respond to inquiries such as “what?” and “why?”
Procedures are the antithesis of policies; they specify how a policy should be implemented. A policy outlines a rule, whereas procedures specify who is expected to follow the rule and how. Procedures address queries such as “how?,” “when?,” and “where?”
Without examining their objective, far too many businesses perceive rules and procedures as a necessary evil. It’s not about best practices or becoming a soulless corporation; the objective of policies and procedures is to describe what management wants to occur and how it should occur.
I’ve come to feel that the key different between a small and medium-sized organization is whether or not management has taken the time to design, execute, and maintain policies and procedures.
Companies with mature policies, processes, and systems are simpler to audit, have a better grasp of their security posture and risk, and seem to operate much more sustainably than those that have paid little attention to governance.
Once management knows the definitions of policies and procedures, they cease asking, “What are policies and processes?” and “What is a policy’s purpose?,” and ask, “Why am I required to develop policies and procedures?” Small firm management often has the same set of obstacles to documenting policies and procedures, all of which relate to the complexity, corporate culture, and time constraints involved. However, let’s not forget: the benefits of policies and procedures exceed their disadvantages. The aim of policies and procedures extends much beyond the simple documentation of regulations. Typically, my description of these advantages sounds like this.
It is difficult to draft policies and procedures, but it’s not that difficult. If the majority of organizations lacked developed rules and processes, they would not be in business. It’s obviously simpler to specify security from the outset, but that doesn’t imply it’s impossible to begin with what you’re doing today and then tweak it later.
Occasionally, the main argument is not how difficult it is to document rules and processes, but rather how terrified most people are of documenting how they’re doing things incorrectly. Begin with where you are and then be realistic about where you want to go. In certain instances, you may not meet the best practice level, but if you allow that shame to prevent you from documenting your rules, you are missing the point. Knowing precisely what you are doing in the now allows you to determine what you should be doing tomorrow. It’s how you can create a genuine budget, detect real business risks, and react effectively when anything goes wrong.
If your practice isn’t right, but you’re honest about it, it’s far less of an issue than if you have nothing documented.
One of the best examples on how to write a privacy policy, for instance, comes from Twitter. As one of the biggest and most popular social networking platforms in the world, Twitter’s privacy policy is an excellent example of a comprehensive but easily accessible policy. Utilizing color coding, hyperlinks, and highlighting, it is well-organized and straightforward to explore. However, the length of this privacy policy is a significant drawback. Observe the scroll bar: this makes it more difficult for the user to quickly comprehend how Twitter collects, uses, and protects user data (you can check here: https://twitter.com/en/privacy).
Policies and procedures will not change your company, but they’ll probably change your perspective! Writing everything down, implementing formal procedures, and establishing expectations will require you to surrender some flexibility. These new features may need adjustments to the corporate structure, business culture, revenue funnel, or informal but excellent procedures to satisfy the criteria you have outlined. Depending on your current organizational structure, you may realize that you require extra personnel to undertake new duties, or that some procedures may move more slowly.
For instance, with the implementation of new rules and processes, your network engineer must now get management approval before making a firewall adjustment. Your team may not be able to simply pick up the phone and request access to an extra network segment. Isn’t it going to add some time and maybe some irritation to the process? Alternatively, how much would you lose if you lost the person who knew precisely why your firewall was configured the way it was? Without documenting these procedures, you create enormous vulnerabilities. People, training, standards, and apps – how much is that small bit of overhead worth if it guarantees that you have a firm grasp on what’s happening inside your organization, networks, and enterprise?
However, you may reduce the magnitude of the transition by incorporating your company’s culture into its rules and processes. Nowhere does it state that rules and procedures must be excruciatingly formal, tedious to read, and packed with legalese. What are the factors that attract potential employees? Adapt your rules and processes to your company’s culture, operations, and interpersonal dynamics. This will reduce the difficulty of applying them and assist protect your organization’s identity.
Do you remember the White Rabbit in Alice in Wonderland – that bizarre rabbit wearing a huge clock stating that “There’s no time?” Well, that’s the case. I’ve never heard so many times “There is no time” as an excuse for not writing policies and procedures. In a world of lean personnel, quick turnover, and a focus on accomplishing more with less, it may be incredibly difficult to find time for governance. Therefore, it does not matter. I can offer you management book after management book, essay after essay, and white paper after white paper on how following set rules and procedures will benefit your organization at every level.
If you can commit to implementing and enforcing your rules, you will be astounded by the short-term win of how much easier audits become and even more astounded by the long-term benefits you will get. Your operations will be less stressful, your employees will have more direction, and, if done correctly, you will finally understand precisely what you are managing and why.
The benefits of policies and processes exceed their disadvantages. The rewards of committing to the process are substantial.
Use a template: establishing a consistent policy template ensures that each policy paper is ordered and comprehensible. It establishes the baseline for how all future regulations will be written and arranged so that they are simple to read and navigate.
Even if you produce a number of additional regulations in the years to come, the format will be simple to duplicate since you have established this standard today. This will also facilitate the writing process and save a substantial amount of time.
Tip
If your entity has not established any policy yet, a good idea could be to create a policy on how to draft a policy.
Here are some suggestions for things to put in your draft policy:
It’s vital to clarify terminology as you go, particularly words and phrases with various meanings and industry- or job-specific terms. This makes rules simple to comprehend and might save you from having to argue over terminology in the event of litigation.
Define employee conduct guidelines and limits. What are the repercussions for violating a rule?
How are incidents and violations to be reported? What is the method for reporting?
Basically, think before writing. Once a policy is approved, it can take time to retire it, get approval from the management again, and so on.
You could create all the regulations in your preferred word processor, but then you’d have to distribute the document so that everyone may annotate their own copy, resulting in many copies of the same page.
Alternatively, you can upload it to a cloud-based word processor, therefore reducing the number of versions you need to manage. Everyone is able to edit the same document and all changes will be saved. However, you still want a solution that provides version control and can match your rules to your accreditation and licensing requirements.
Depending on the size of your firm, you may need assistance in writing your policies and procedures. It also facilitates more buy-in from stakeholders within the firm. Plus, it assures you don’t overlook vital facts.
Since your rules will affect everyone in the firm, you should enlist the assistance of individuals from diverse departments. Consult the subject matter experts on the operation of a certain department or function. Include those who understand and can assist you in adhering to any applicable local, state, and federal laws affecting the operation of the group.
Tip
Let’s suppose you write an HR policy, including all the steps related to hiring, termination, and so on, and maybe some national, regional, or other laws apply. Therefore, it’s imperative to collaborate with your HR team to elaborate on a better and more definitive policy.
Now that you have management support, an organized team, a framework, and a technological solution, you are prepared to begin writing. Here is how it should function.
You cannot write every policy at once and some policies are more significant than others; thus, make a list of policies that must be completed first. Prioritize your new regulations and amendments based on their relative significance and establish a schedule and sequence for their completion.
Consult with your policy team (if there is one) to determine what needs to be addressed. Defining these priorities with your ultimate objective in mind can help you remain on track.
Conduct exhaustive research. Examine your present processes to determine how things are currently carried out. Additionally, you will need to evaluate any compliance concerns that may have caused your policy review.
There are many approaches to analyzing and studying existing processes:
Writing policies and procedures is an ongoing process. The first draft will need many modifications. It makes sense to get input from stakeholders and colleagues and you should edit your copy depending on their comments.
Having someone other than the policy owner produce the original draft may promote an outsider’s viewpoint, making your processes eventually more transferrable to everyday operations.
This might also assist to clarify the wording and eliminate any unnecessary technical jargon from your work.
Avoid using a large number of industry-specific words, particularly if your company spans many licensing groups, roles, and sectors. The same acronyms and words may have different meanings to various employee groups; thus, you need to prevent misunderstanding.
Additionally, limiting technical jargon can make it simpler for new workers who may be unfamiliar with the business to comprehend your rules and processes.
To guarantee the validity of your methods, you must see them in operation; it is generally a good idea to have the workers who conduct the daily job execute the processes.
Remember that this only applies to the Procedures section of your handbook and not to the policies and forbidden activities sections.
Now that you have a draft, it is time to evaluate it; if a non-specialist authored the first document, you should have a specialist examine it. This is the key to the success of your policy. You will have to walk a tight line between the requirement for thoroughness for your subject matter specialists and the need for clarity and simplicity for your non-experts.
Typically, a member of the executive team must approve any new policy. Because they are ultimately responsible for the policy, they must formally endorse the final document. This should always be carried out by the highest level of leadership for each policy.
For instance, you do not need the CEO’s approval for new spill cleanup measures, but you must for workplace harassment and the handling of confidential information. Equally, the IT manager should not approve an employee conduct code; that responsibility lies with the CTO or CIO, who is ultimately accountable.
The Employee Code of Conduct is one of the most essential components of the employee handbook. We prepared a code of conduct template to help you convey your expectations to your staff straightforwardly and sensitively.
Remember that this template is not a legal document and may not comply with all applicable local and national regulations. Please request that your attorney evaluates the finished policy papers or handbook.
You are accountable for behaving correctly at work as an employee. Here, we outline our expectations. We cannot cover every possible situation of behavior, but we have faith that you will always use sound judgment. Contact your human resources department if you have any concerns or questions.
The official dress code of our company is business/business casual/smart casual/casual. This consists of slacks/loafers/blouses/boots. However, a worker’s position may also influence their attire. If you often meet with clients or potential clients, please dress more formally. We want you to arrive at work clean and avoid wearing unprofessional attire (e.g., workout clothes).
As long as you adhere to our aforementioned criteria, we have no special expectations about your attire or accessories.
We also allow and respect how religious views, ethnicity, or disability influence grooming styles, dress styles, and accessories in the workplace.
This section concerns everything digital in the workplace. To maintain security and safeguard our assets, we wish to establish standards for the use of computers, phones, our internet connection, and social media.
Our company internet connection is largely used for business purposes. However, you may occasionally use our internet connection for personal reasons, so long as it does not interfere with your job duties. If requested, we also expect you to temporarily cease personal activities that slow down our internet connection (such as picture uploading).
You are prohibited from the following:
We permit mobile phone usage at work. However, we also want to guarantee that your gadgets will not distract you from your job or disturb the office environment. Please adhere to the following very basic rules:
Email is crucial for our business. You should use your workplace email mainly for business purposes, although we permit occasional personal usage. Guidance on how to use business email at work:
Regarding how you use your business email, we want you to avoid the following:
We want to give some recommendations in order to avoid irresponsible usage of social media in the workplace. We will discuss both the usage of personal social media at work and the use of social media to represent our organization.
General guidance on how to use social media at work:
Guidance when managing social media through a company:
When you are suffering a conflict of interest, your own aims and duties to us are no longer aligned. For instance, holding shares with one of our rivals is a conflict of interest.
In other instances, you may encounter an ethical dilemma. Accepting a bribe, for instance, may be financially advantageous, but it is unlawful and against our company code of ethics. If we become aware of such conduct, you will be fired and may face legal consequences.
Conflicts of interest are therefore a big concern for all of us. We anticipate that you will be cautious in identifying situations that constitute conflicts of interest for yourself or your direct subordinates. Follow our rules and always behave in the best interests of our firm. Whenever possible, avoid allowing personal or financial concerns to interfere with your work. Discuss any ethical problem with your manager or HR and we will do our best to assist you in resolving it.
We aim to guarantee that all staff interactions are suitable and amicable. Please adhere to our principles and conduct yourself professionally at all times.
The term fraternization refers to dating or befriending coworkers. In this policy, dating refers to romantic relationships and consensual sexual encounters. Relationships that are not consensual constitute sexual violence and we expressly ban forbid them.
If you begin a romantic relationship with a coworker, we want you to retain your professionalism and keep personal conversations outside of the office.
You must also respect your coworkers who date one another. We will not accept sexual jokes, nasty rumors, or inappropriate remarks. Please notify Human Resources if you come across this kind of conduct.
To prevent charges of favoritism, misuse of power, and sexual harassment, supervisors are prohibited from dating their direct subordinates. This limitation applies to all employees reporting to managers.
Additionally, if you are the recruiting manager for your team, you cannot employ your spouse. You may recommend them to other teams or departments where you do not have management or recruiting power.
Employees who work together may develop friendships either inside or outside the workplace. This connection between peers is encouraged since it may facilitate communication and collaboration. However, we expect you to prioritize your job and leave personal issues outside of the office.
Everyone in our organization ought to be employed, acknowledged, or promoted on the basis of their abilities, character, and work ethic. We do not want to witness nepotism, favoritism, or conflicts of interest and thus, we impose employment limitations on relatives of workers.
To our organization, a relative is somebody connected by blood or marriage to an employee within the third degree. This comprises the following: parents, grandparents, in-laws, spouses or domestic partners, children, grandchildren, siblings, uncles, aunts, nieces, nephews, step-parents, step-children, and adoptive children.
As an employee, you may suggest family members to our organization. Here are our only limitations:
Please get authorization from our HR manager/security officer/workplace manager before inviting a guest to our office. Additionally, please notify our reception/gate/ front office of your guest’s arrival. Visitors are required to sign in and provide identification. They will be given passes and requested to return them to reception/the gate/the front office at the end of their visit:
Solicitation is demanding any type of money, support, or involvement for unrelated items, individuals, organizations, or causes (e.g., religious proselytism or asking for petition signatures). Distribution refers to the act of spreading materials for commercial or political goals.
Non-employee solicitation and distribution are prohibited in our workplace. You may solicit from your colleagues as an employee only when you ask colleagues to assist arrange events for another employee (such as the adoption or birth of a child, promotion, or retirement).
You may solicit support for a cause, charity, or fundraising event that is sponsored, supported, coordinated, or approved by our organization.
You may invite coworkers to employee events for permissible non-business purposes (e.g., recreation or volunteering).
You may invite coworkers to join legally protected employment-related activities or organizations (e.g., trade unions).
In all circumstances, we urge that you refrain from disturbing or distracting coworkers from their work.
This policy is very specific and it has been planned to be available worldwide.
Tip
This is a policy sample.
Information security exists to further the mission of ACME. ACME comprises diverse populations with evolving needs related to information technology resources and data. ACME management is committed to safeguarding those resources while protecting and promoting business and behavioral freedom. Although intrinsic tension exists between the free exchange of ideas and information security and this can manifest itself in some circumstances, the following framework has been identified to promote the best balance possible between information security and academic freedom.
This policy describes the requirements for the appropriate and approved use of externally hosted ACME platforms and services.
To ensure adequate protection of protected data stored on ACME-owned, leased, or personally owned hardware and software; this policy establishes the requirements for the implementation, transfer, removal, and disposal of all hardware housing this kind of information.
This policy also applies to all users who have access to ACME resources, including all employees, contractors, guests, consultants, temporary employees, and other users. Determining the level of sensitivity applicable to a given form of data is the first step in establishing the safeguards that are necessary for that type of data.
Cloud hosting of systems and/or data can be categorized as the following models:
An organization can outsource the hardware, software, servers, and networking components necessary to support operations using the Infrastructure as a Service (IaaS) provider model. The equipment belongs to the service provider, who is also in charge of housing, operating, and maintaining it.
For the purpose of this document, the term cloud computing services is used to encompass SaaS, PaaS, and IaaS.
For cloud-hosted systems (SaaS, PaaS, IaaS, and similar) or data, each system owner must ensure the system protections described in the Information Classification Policy. So, it’s important here to define a protected system and the kind of protection given.
EU-GDPR: The General Data Protection Regulation (GDPR)
ISO/IEC 31010: A standard concerning risk management
ISO/IEC 27001: Specifies a management system that is intended to bring information security under management control and gives specific requirements
HIPAA: The Health Insurance Portability and Accountability Act of 1996
HITECH: The HITECH Act set guidelines on the adoption and meaningful use of interoperable Electronic Health Records (EHRs)
FISMA: The Federal Information Security Management Act of 2002
PCI/DSS: Payment and Credit Card Industry Data Security Standards
FERPA: Gives parents access to their child’s education records
PIPEDA: The Personal Information Protection and Electronic Documents Act (Canada)
Data custodian/data protection officer: The one in charge of a company’s written or electronic records while safeguarding the data in accordance with the company’s security policy or accepted IT practices.
If sensitive data and/or confidential data is stored using cloud computing services, the contracts for those services must be approved by ACME Procurement Services, and the applicable Information Security Officer must evaluate the system’s security measures both before and after implementation, depending on the risk level.
In addition to other ACME policies, the following requirements must be followed in the use of cloud computing services:
5.1 – Pre-requisite Requirements
Consult with appropriate data owners, process owners, stakeholders, and subject matter experts during the evaluation process, or with the applicable Information Security Officer for guidance.
5.2 – Contractual requirements
5.3 – Ensure a Service Level Agreement (SLA) with the vendor exists that requires the following:
5.4 – Cloud computing services should not be engaged without developing an exit strategy for disengaging from the vendor or service while integrating the service into normal internal business practices and/or business continuity and disaster recovery plans. ACME must determine how data will be recovered from the vendor.
5.5 – A proper risk assessment must be conducted by the applicable Information Security Office prior to any third-party hosting or cloud computing service arrangement.
Information that has been classified by ACME as Unclassified Public, Proprietary, Client Confidential Data, or Company Confidential Data may be used only in accordance with the policy related to the classification of information that can be found in the Information Classification Policy.
7 – Personally Identifiable Information (PII) may only be used in compliance with information protected by federal, state, or local laws and regulations or industry standards, such as the GDPR, HIPAA, HITECH, FERPA, PIPEDA, and PCI-DSS.
8.1 – Ensure that all academic, administrative, or research-related data is retained according to the records retention and EU-GDPR requirements.
8.2 – Back up data regularly to ensure that records are available when needed, as many providers assume no responsibility for the data recovery of content (for further information, please consult the ACME Business Continuity and Disaster Recovery Policy).
9.1 – Security and data security will be in charge of the operations, with support from the legal and ERP departments.
These are just examples: you can customize them according to your needs, find other templates and samples through the internet, and still buy some decent packages at a decent price online. Of course, my suggestion, as usual, is to involve a third-party consultancy to do the job, and then you can update them on your own.
Would you wish to undergo a complex process to get an additional pen or pad of paper? Of course not!
Procedures and their near relatives, policies, may be a genuine pain in the you-know-what. Sometimes, they are excessively stringent and limiting, while other times they are too general and missing specifics. However, if a colleague calls in ill and you are suddenly responsible in case of an emergency, you should substitute that sick colleague just by reading and understanding a procedure. Therefore, it is helpful to have a well-written, clear protocol to follow.
Procedures may have a significant impact on an organization if executed properly. When stated clearly and correctly, they may improve the functionality of systems and individuals. If your employees know what to do, when to do it, how to do it, and how to avoid making mistakes, you may decrease aggravation and save a great deal of time and energy.
Procedures are the company’s workhorses. Procedures detail “how to” complete a job or process, while policies outline how individuals should make choices.
Procedures emphasize action. They describe the actions to be performed and the sequence in which they must be taken. They are often instructive and may be used in training and orientation. Typically, well-written processes are solid, accurate, truthful, brief, and direct.
Writing an accurate, concise, and understandable method is not always simple. However, with a little bit of information and experience, you may develop good procedure-writing abilities and recognize many possibilities to enhance the quality of your work.
Tip
Numerous procedures seem black and white, with distinct phases and a single method: “Complete A, then B, and then C.” Occasionally, though, it is necessary to be less precise and allow for individual discretion. When a method is too restrictive, it might lead to misunderstanding. Since life is not always straightforward and uncomplicated, some methods must allow for subjectivity and individual choice.
If you design processes for fundamental jobs, they will be disregarded since they are unnecessary. The first guideline of creating procedures is to ensure that they serve a purpose: perhaps individuals forget to complete particular activities, perhaps they continue to make mistakes, or perhaps jobs are so lengthy and complicated that a checklist is required for success.
A documented procedure is only required if the problem is severe or if there is a substantial advantage to clarifying a method. Before you begin, consider whether people really need or want to know something.
To a certain extent, a process works on its own. But then, your company needs to write it, to put it clear:
In a normal business, many tasks are performed without formal processes. Unwritten norms and informal processes exist. Occasionally, though, these unwritten principles must be codified by a process. Here are some examples of when this may need to occur:
Not only what readers desire to know but also what they must know should be communicated in procedures. They may need to know how to do the task accurately, more quickly, or with less waste. They may also want to know why they must do a task in a specific way, where they may get assistance, and what happens if anything goes wrong. Whenever required, ensure that your processes address both technical and subjective factors.
It is also essential that your processes have the appropriate amount of information. Here are some questions to consider:
Before you begin writing, you should collect extensive information on the technique you are creating.
Talk with subject matter experts as well as those who hold essential knowledge, including long-time employees, stakeholders, technical personnel, and process users.
Take copious notes and then organize the material at your leisure. As the process author, you should have a comprehensive grasp of what is occurring. From there, reduce the information just to what the end user needs to fully comprehend the procedure (a mind map is a fantastic tool for arranging information. This may assist you in ensuring that you have included and linked all the necessary components).
When writing the initial draft of your method, you should not be concerned with perfect terminology and structure. The primary objective is to provide the necessary information. After that, you can concentrate on the wording and arrangement.
Here are some helpful guidelines:
You may discover that words alone are insufficient to describe the technique. Occasionally, additional features might enhance a presentation. Here are a few prevalent formats.
This is a schematic of a process. You may outline and simplify a process by using a sequence of symbols and arrows to show the flow of activity. Make sure that your chart does not include too many strange symbols or too much text. If necessary, divide it into many smaller flowcharts.
This seems to be a theatre script with many characters. In this instance, though, you list the staff members with varying duties. Scripts may be particularly beneficial when several people are participating in a process:
Person in charge |
Action |
Gathering information | |
Writer responsibility |
Writing the process |
Sharing the draft with stakeholders | |
Reviewing a draft | |
Stakeholder responsibility |
Submitting comments and corrections |
Writer responsibility |
Creating the final draft |
Manager (business unit) |
Approving the final version |
The department head must approve the final version.
Match frequent procedural questions with the appropriate responses. This style is beneficial when methods are unclear or there are several variants. It also helps in addressing “what if” concerns.
Example:
Q: What happens if the columns are not balanced?
A. Initially, do not panic. Start with the most basic explanations and move backward. Calculate each column again. Then, search for faults in transcribing. If this does not resolve the issue, examine how you obtained your figures. If you were uncertain about any points, verify those numbers again. Then, methodically review each figure until the problem is discovered.
The table links one variable with another. Where variables intersect, the cell displays the corresponding action. Matrix tables are very useful for reference reasons since they minimize the need for repeated searching. You can utilize them for a variety of purposes, including determining what activities to do and when, assisting users in making choices, and determining which forms or reports to use:
Figure 8.1 – Another kind of example, using a matrix approach this time
So, in this chapter, we had a conversation concerning policies and procedures, with a lot of tips and recommendations. Hopefully, they are (or will be) useful!
Now, you should be able to write a proper policy or procedure by understanding all the requirements around the document. Practice makes perfect, but a good starting point is always helpful.
In the following chapter, we will cover social engineering.