Throughout my career, I’ve had the fantastic experience of working with small businesses who are new to the idea of being audited.
I’ve seen organizations at every level of readiness, from “We’ve got this, we are prepared,” to, “Why is this so difficult?” It still amazes me that the toughest audits always are a function of the same problem: policies and procedures.
In the world of information security, policies and procedures are better than gold. They are more important than your wireless security keys, more vital than your CEO’s parking spot. They are so important, in fact, that every major framework has at least one entire section devoted completely to the paper that underlies your operation.
The PCI DSS has section 12, the SOC 2 framework has governance and compliance as a full quarter of its audit objectives, and HIPAA regulations have an entire subsection devoted to policy.
You’re getting the idea, right? Policies and procedures are vital. But… what are they?
What Are Policies and Procedures?
In the information security industry, policies and procedures refer to the documentation that describes how your business is run. A policy is a set of rules or guidelines for your organization and employees to follow in or to achieve compliance. Policies answer questions about what employees do and why they do it. A procedure is the instructions on how a policy is followed. Procedures are the step-by-step instructions for how policies are to be achieved. A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it.
What is a policy?
A policy is a set of rules or guidelines for your organization and employees to follow in or to achieve a specific goal (i.e. compliance).
An effective policy should outline what employees must do or not do, directions, limits, principles, and guidance for decision making. Policies answer questions like: What? Why?
What is a procedure?
A procedure is the counterpart to a policy; it is the instruction on how a policy is followed.
It is the step-by-step instruction for how the policies outlined above are to be achieved. A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it. Procedures answer questions like: How? When? Where?
What is the Purpose of Policies and Procedures?
Too many companies view policies and procedures as a necessary evil, without considering their purpose. It isn’t about best practice or becoming a soulless corporate entity; the purpose of policies and procedures is to explain what management wishes to have happen and how it happens.
I’ve come to believe that the primary distinction between a small and a medium business isn’t found in quantifying a company’s maturity by revenue or number of employees, but rather, whether or not management has taken time to develop, implement, and maintain policies and procedures.
So far, I haven’t been disappointed in this definition; companies with mature policies, procedures, and systems are easier to audit, have a better understanding of their security posture and risk, and generally just seem to be operating far more sustainably than those who haven’t paid much attention to governance.
The Purpose of Policies and Procedures vs. the Pain of Policies and Procedures
After management understands the definitions of policies and procedures, they stop asking, “What are policies and procedures?” and move onto, “Why do I have to write policies and procedures?” Small business’ management generally have the same set of objections to writing down a set of policies and procedures, all relating to difficulty, company culture, and time restraints. But, let’s remember: the benefits outweigh the pain of policies and procedures. The purpose of policies and procedures is so much greater than writing down some rules. My explanation of these benefits usually sounds something like this:
“But it’s really hard!” Well, yes…but no. Most companies without mature policies and procedures are operating fairly well or they wouldn’t still be in business. It’s certainly easier to define security from the very beginning, but that doesn’t mean it can’t be easy to start with what you’re doing now and then refine it later on.
Sometimes, the real objection isn’t to how difficult it is to write down policies and procedures, but how frightened most people are that they will put in writing how they’re doing things wrong. Start with where you are, then be realistic about where you are going. You may not be up to the best practice standard in some areas, but if you’re letting that embarrassment keep you from setting policies down on paper, then you’re missing the point. Knowing exactly what you’re doing now is how you figure out what you should be doing tomorrow. It’s how you can put together a real budget, identify real risks to the enterprise, and how you can respond effectively when something goes wrong.
An auditor’s hint: If your practice isn’t “correct,” but you’re honest about it, it’s far less of a problem than if you don’t have anything written down at all.
“But it’ll change my company!” Maybe it will. I’m not going to lie to you – writing everything down, putting your hands on formal processes, and setting expectations forces you to sacrifice some flexibility. These extra additions do add a bit of overhead and may result in necessary changes to corporate structure, company culture, revenue pipeline, or “informal, but really good” processes to support the requirements you’ve laid out. Depending on your existing structure, you may even discover that you need some additional staff to handle new responsibilities, or some processes might move a bit slower.
For example, with new policies and procedures implemented, your network engineer now has to have management sign off on a firewall change. Your staff may not be able to just pick up the phone and get a new permission to some additional part of the network. That’s going to add some time and maybe even a little frustration to the process, right? On the other hand, how much would you lose if you lost the person that understood exactly why your firewall is set up the way it is? Without writing these processes down, you create massive vulnerabilities. People, training, standards, applications – how much is that little bit of overhead worth if it ensures that you have a handle on what’s going on inside of your company, your networks, and your enterprise?
You can mitigate the change somewhat, though, by writing your company culture into your policies and procedures. Nowhere is it written that policies and procedures must be horribly formal, boring-to-read documents filled with legalese and pain. What are the things that make people want to work there? Fit your policies and procedures to your company culture, your business, and how your people interact. This will minimize the hardship of implementing them and help preserve what makes your organization unique.
“But there’s no time!” This is the most valid argument. In a world of lean staff, fast turnaround, and an emphasis on doing a lot with a little, finding the time for governance may be extremely difficult. With that said…it doesn’t matter. I can hand you management book after management book, essay after essay, whitepaper after whitepaper, all on how defined policies and procedures will improve your business at every level if you follow the process. You simply can’t pass any formal audit without them. The time to do the work and document your policies and procedures has to be found.
If you can commit to getting your policies in place and enforcing them, you’ll be shocked at the short-term win in how easy an audit becomes, and even more shocked by the long-term advantages you gain. Your operations will be less stressful, your people will have more direction and, if done well, you’ll finally know exactly what it is you’re managing and why.
The advantages outweigh the pain of policies and procedures. Committing to the process has serious benefits. Does your organization view mature policies and procedures as a necessary evil? Do you understand the purpose of policies and procedures? What obstacles has your organization found when developing or implementing policies and procedures? How have you built in the time to commit to enforcing policies and procedures?
About Shannon Lane
Shannon Lane has over 20 years of experience in information services, including healthcare IT, e-commerce data extrapolation, network administration, database administration, and external audit work. Lane now serves as an Information Security Auditor at KirkpatrickPrice, represents KirkpatrickPrice on the 2018 HITRUST CSF Assessor Council, and holds CISSP, CISA, QSA, MSDBA, and CCSFP certifications.
More Policy and Procedure Resources