People by nature don’t like to be told what to do. Most people would rather be told what needs to be done and left to their own devices to produce the end result. That approach works fine if you are an organization of one. Bring in another person and suddenly things start to get done differently by each person. Those differences only get multiplied as an organization grows. Well-run organizations develop policies, procedures, and standards as a mechanism to help ensure safety, security, consistency and operational efficiency.
What are policies, procedures, and standards?
Policies
Simply put, a policy is a statement about what an organization will do in relation to a particular aspect of the business. A policy typically contains a version, a statement that addresses the objective or purpose of the policy, background information, who the policy applies to within the organization, the actual policy statement, enforcement options, change tracking, definitions, and references to specific security or compliance frameworks.
Here is an example of a very basic policy:
Dirty Dishes Policy – Version 02-13-2024-01
Objective
To keep the kitchen and sink area neat, clean and sanitary for all office employees.
Background
As the company has grown, keeping the area around the sink clean and free from accumulating dirty dishes has become problematic for the office management team. The team wants to implement a simple, understandable policy that everyone can follow.
Scope
This policy applies to all employees making use of any dishes in the main office kitchen area.
Policy
All employees will make sure that dirty dishes are not left in the kitchen sink. The proper procedure for this can be found in the Dirty Dishes Mitigation Procedure
Enforcement
Employees not following this policy will be required to wear the pink badge of retribution for the next two working days if found to be in violation of this policy.
Document History
| Date | Editor | Changes |
| 02/13/2024 | Office Manager | Policy created |
| 02/13/2024 | Office Manager | Policy approved & distributed |
Definitions
Dirty Dish – Any dish that has been used to serve, cook or store food.
References
Emily Post’s book Etiquette in Society in Business in Politics and at Home
All snickering aside, you can see that the policy document has a structured format, addresses a specific issue is a manner that sets expectations and references a specific procedure to be used to accomplish the outcome. A well-run organization should have governance processes in place across various teams that cover the policy management lifecycle. The number of polices managed by an organization depends on many factors including:
- Organization size
- Geographic location
- Number of locations
- Regulatory requirements
- Compliance requirements
- Risk tolerance
- Customer requirements
- Supplier requirements
- Stockholder or board requirements
This is only a partial list. Policy needs apply to many different departments within an organization and have differing applications and scope. Some policies may be broadly applicable to all employees within an organization. Other policies may apply to only a small group of people with a specific role within the organization.
Policies are critical in helping an organization maintain operational efficiency, setting expectations for employees, vendors and customers, and providing the guardrails needed to operate legally and safely. Unfortunately, many organizations document policies very well but fail in the critical step needed for success. That step is policy execution. Having a policy simply to be able to present a document to an interested party doesn’t accomplish anything. The real effectiveness in having policies in in their distribution to the impacted parties and gathering proof that the policies are being implemented. The proof that we gather are known as artifacts. These artifacts are produced through the recording of the execution of procedures and often serve as evidence that is provided to auditors and others as a means of demonstrating the effectiveness of the policies and procedures. Artifacts are sometimes called audit evidence.
Procedures
This is where procedures come into play. While policies describe what gets done, procedures describe how things get done. A procedure typically contains a version, a statement that addresses the objective or purpose of the procedure, background information, what the procedure applies to within the organization, the actual procedure, enforcement options, change tracking, definitions, and references to specific security or compliance frameworks. Procedures contain enough detail so that those implementing the procedure can execute the procedure. Procedures should be technology agnostic to the degree possible. For instance, a procedure might reference the particular use of a specific third-party service or software but would refrain from referencing specific versions. Another example may reference the use of TLS encryption but avoid specific details regarding TLS versions and ciphers. Specific details relating to implementation of technology should be outlined in standards documents which a referenced in the procedure documents.
Here is an example of a very basic procedure:
Dirty Dishes Mitigation Procedure – Version 02-13-2024-01
Objective
To ensure that all dirty dishes are properly cleaned and processed.
Background
Cleaning standards for dishes can vary from person to person. In order to ensure that all dishes are maintained in a clean and usable state, this procedure should be followed.
Scope
This policy applies to all employees making use of dishes in the main office kitchen area.
Procedure
- Rinse dishes in the sink to remove the bulk of leftover food.
- Check the dishwasher to be sure the dishes inside have not been washed.
- If the dishes in the dishwasher are clean, empty the dishwasher, putting the clean dishes in their proper place and move the indicator sign from CLEAN to DIRTY
- If the dishes in the dishwasher are dirty, proceed to step 3.
- Place rinsed dishes inside the dishwasher in the appropriate location.
- If the dishwasher is full:
- Add detergent – see Dishwasher Detergent Standards for acceptable detergents.
- Close the door and activate the wash cycle.
- move the indicator sign from DIRTY to CLEAN
- If the dishwasher is not full:
- Close the door.
- Go back to work.
- If the dishwasher is full:
Enforcement
Employees not following this policy will be required to wear the pink badge of retribution for the next two working days if found to be in violation of this policy.
Document History
| Date | Editor | Changes |
| 02/13/2024 | Office Manager | Procedure created |
| 02/13/2024 | Office Manager | Procedure approved & distributed |
Definitions
Dirty Dish – Any dish that has been used to serve, cook or store food.
Dishes – Includes plates, cups, bowls, silverware, and any other object used to serve, prepare, cook or serve food or drink.
References
Proper Dish Cleaning Manual (this is made up!)
Standards
A typical standards document will follow the same format and provide details relating to what is implemented within procedures.
Keeping policies as a high-level overview that define the “what” means that policies change very little over their lifetime. Procedures are a bit more prescriptive and may change more frequently but limiting references to very specific technologies helps reduce the amount of change. Standards documents are brief descriptors that define specific technologies, implementations, and other minimum technical requirements. These documents change regularly to reflect the current implementation of technologies used in procedures.
Impact on Organizational Security
OK so what? How does all this impact the security of an organization? As we examined before, security is the reduction of risk to a level that is acceptable, in this case a level acceptable to the organization based upon the organization’s risk appetite. Risk is reduced through the implementation of controls. Controls can be technical or administrative. Each of these types of controls can be preventative, detective or corrective.
Technical controls operate on physical systems in a predictable and controlled manner. Examples include badge scanners, firewalls, antivirus, and cameras. Some of these are preventative – they block of prevent bad things from happening. Some of these are detective – they monitor actions that occur. Some of these are corrective – they are put in place to correct a previously uncovered weakness.
Administrative controls are put in place to serve as the framework and guardrails for the operation of an organization. These include corporate policies, procedures and standards. All serve to communicate acceptable and unacceptable activities across the organization. Administrative controls can also fall into any of the three types of controls mentioned – preventative, detective, and corrective. The main difference is that these controls are implemented at the people level and not through technical means.
Corrective controls are put in place to bring about corrective action with an organization. An example might be as simple as a form field validation added to a critical data entry form. The goal is to change or correct the drift in errors that may have occurred in the past.
Both administrative and technical controls can fall into more than one category of control. Some fall into all three categories.
Every security framework is based upon the implementation of proper organizational controls. In fact, SOC stands for Service and Organizational Controls. Policies, procedures, and standards are the foundation of these frameworks. These critical documents define what’s being done, how things are done, and using what tools and standards. Having a solid set of foundational policies, procedures and standards allows the organization to communicate with internal and external stakeholders in a consistent and trackable manner with the benefit of having understandable, repeatable processes that produce consistent results.
Without a developing a clear set of operational policies, procedures, and standards, an organization has little chance of success, will be unable to sustain growth and will not be able to sustain any measure of safety, security or quality. Additionally, the organization will have a tough time building stakeholder trust. This lack of trust will be noticed by prospects, customers, and employees and result in long-term irreparable damage to the brand and ultimately the bottom line.
Developing and implementing policies, procedures and standards may seem like nothing more than busywork but organizations that embrace this process in a meaningful and effective manner position themselves for long-term success. Quality, safety and security are improved. Repeated review of policies, procedures and standards allows an organization to continually improve and optimize. Ineffective policies are removed, new policies are created based upon the changing landscape, procedures are improved, and best-practice standards can be implemented to take advantage of better and more effective ways to reduce risk. Organizations that take these steps are proactively addressing new risks to the business resulting in a more effective overall security program.
