You might not think so, but policy and procedure management should be important to everyone that works at your company. The real problem with managing P and P is that every single standard (think NIST, HIPAA, FINRA, etc.), policy, procedure, or form should be available all the time. This becomes even more important in the age we are in today, where business-crippling cyberattacks lead to liability claims and pointing fingers. If you—as an IT Service provider—are not on top of what your team is doing, what is permissible AND getting everyone on board with it, you might be putting more at risk than you’d ever imagine.
Just recently I was on the phone with an MSP that had to file a cyber liability claim against their cyber insurance policy—which ended up getting denied.
The reason?
That MSP could not adequately show that they had taken basic precautions to ensure that a hacker could not easily get on their network (some of the very same precautions that we report, alert and get our MSP partners fixing so they don’t get themselves into a precarious situation).
Today I want to talk briefly about policies and procedures management, not from the standpoint of enforcement, but from a standpoint of making them more effective.
You see, we all break policies all the time. Just think of the simple 3-word policy we see every single day going to work: Speed Limit 25. Now you may be the exception, but I’m sure on a daily basis you see people all around you breaking this policy—even thought it’s as simple as 3 words.
Maybe some people disagree with the policy—or maybe they feel like the risk of upping their speed past that limit is tolerable given the conditions or environments at the time. But nonetheless, the policy was broken. If you are treating all of your P and P—especially those for cybersecurity-related issues—like the speed limit sign, you probably are setting your team up for failure.
Some of the failures I see everyday with IT P and P relate to:
- Keeping their P & P updated
- Complying to complicated government standards
- Defending events and decisions made by their teams with well documented (AND archived historical versioning) of their policies and procedures.
Let’s start off with the basics. What Is a Policy?
Think of a policy of as a predetermined course of action established as a guide toward accepted business strategies and objectives.
Generally, a policy includes information on the what, the why, and the who, but not the how. What are you protecting by the policy? Who is affected by it? WHY is this policy necessary? If you aren’t able to provide ‘good’ answers to these simple questions, ask yourself if that policy is really needed.
As you are reviewing or constructing your policy statements, think about your objectives, goals, vision and company culture. Does that policy align with the fabric of your organization? If not, can you change it to fit your people and your core fiber?
A procedure describes the “how” and more specifically, a procedure is a “method by which a policy can be accomplished.” Procedures identify the people, the places, the processes, the forms, and the actions necessary to carry out one or more policies, or to support other policies or procedures. Procedures contain an action, a decision, or a repetitive step.
And Then There Are Standards.
A standard is a set of rules that must be followed without exception. A standard is:
- A required approach for conducting an activity or task;
- A statement dictating the state of affairs or action in a particular circumstance;
- A definition or format that has been approved by a nationally-recognized standards organization or is accepted as a de facto standard by the industry; or
- A required procedure that reflects a technical requirement, legal duty, or an obligation that must be followed.
Think of it this way: An obvious use of standards exists for programming languages, operating systems, data formats, communications protocols, and electrical interfaces. The content of policies or procedures is generally not written with this granularity.
If standards did not exist, doors and windows would open differently, nails and screws would be odd sizes, and screens would never fit from one window size to the next. When I think of standards, I think of military standards for products where processes were carefully laid out and tested to the point where there are few if any errors.
To most of you, it will be important to link your company-centered policies and procedures back to standards simply to provide evidence to your clients (who may have compliance concerns) or policy providers that you are in fact abiding by golden standards within the IT industry.
If you were to wave a magic wand and develop your policies and procedures and be able to easily manage them, what would that look like.
- Link your policies back to your standard sources (NIST, HIPAA, FINRA)? Be able to prove that your team is adhering to the golden rules?
- Link your procedures back to policies? You understand that procedures will likely change because technology is quickly evolving and the tools and roles your team and those teams you are supporting are also changing quickly, leaving you with tweaks or edits to processes—all in an effort to withstand continual cyberattacks and mitigate your security risks.
- Link forms to procedures? So your teams can use simple forms to validate or complete tasks regularly as evidence that you are securing your network or that of your clients.
- Validate your P and P completely? Make sure you can validate that you are taking appropriate steps to secure everything your team is controlling.
- Defend your decisions on procedures because your processes easily trace back to what the experts deemed as appropriate controls.
- Track back tasks towards improving your security posture? By going through ongoing security audits and being able to show a consistent improvement month by month, you and your team will not only show to your clients their improved security posture, but also be able to communicate your improvement process to prospects.
Policies and procedures—if not correctly—should help your team be better. They should be able to easily see why they’re expected to do things a certain way—and take ownership on ways to make adhering to the rules easier. If you’re simply dolling out speed limit signs, will people comply?
