The Policy Writing Episode

Transcript

Introduction to the Guest and Topic:

Host Ally Kings introduces Nathan Stevens, a professional writer at Kirkpatrick Price. The discussion centers on the importance of writing clear, effective policies and procedures for compliance and audits. Nathan explains his unique role in creating policies for clients, often starting after a gap analysis reveals missing or insufficient documentation.

Why Do Companies Need Policies?

Policies are essential for several reasons:

• Regulatory Requirements: Frameworks like PCI, HIPAA, GDPR, and SOC 2 mandate specific policies.
• Clarity and Uniformity: Policies ensure everyone understands expectations and processes, regardless of their technical expertise.
• Risk Mitigation: Written policies prevent confusion and help organizations respond consistently to issues

Common Reasons Companies Lack Policies:

• Startups and Small Businesses: New organizations often lack time, resources, or expertise to create policies.
• Legacy Organizations: Older companies may rely on informal practices until external pressures (clients, vendors) demand formal documentation.

Why Generalized Policies Are Problematic:

Generic or vague policies fail to provide clear guidance and may not meet compliance standards. Policies should:

• Be specific and actionable.
• Reflect actual practices, not aspirational goals.
• Align with industry frameworks to avoid audit failures.

How to Start Writing Policies:

1. Use Standards as a Guide: Begin with frameworks like SOC 2 Trust Services Criteria or PCI DSS.
2. Customize Templates: Modify downloaded templates to match your organization’s practices.
3. Avoid Copy-Paste Errors: Ensure policies accurately represent your company and remove references to other organizations.
4. Reflect Reality: Policies should describe what you currently do, not what you hope to do.

Management’s Role in Policy Creation:

• Policies must have managerial approval and authority.
• Involve subject matter experts for technical accuracy.
• Differentiate between policies (what and why) and procedures (how).

Communicating and Reviewing Policies:

• Onboarding: Employees should review policies when hired.
• Annual Review: Organizations should refresh policies yearly and require employees to re-read them.
• Change Management: Formal processes should exist for communicating updates (e.g., company calls, email notifications).

Common Audit Pitfalls:

• Misalignment between policies, actual practices, and evidence.
• Policies that meet minimum standards but fail to provide adequate security (e.g., weak password requirements).
• Lack of documentation for controls supporting policy compliance.

Success Story:

Nathan shares an example of a highly engaged client team that collaborated actively during policy drafting. Their feedback ensured policies accurately reflected operations and strengthened security posture.

Final Advice:

• Review existing policies and confirm they match current practices.
• Update policies to reflect improvements or changes.
• Stay proactive—information security is critical for all organizations, not just tech companies.

Expert Tip from Kurt Staven:

Regularly review your information security policies at least annually. If you find standards you’re not following:

• Determine why and implement controls to enforce compliance.
• Alternatively, remove unrealistic standards from documentation. When in doubt, consult security experts for guidance.