We find that most organizations struggle with the documentation aspect of a PCI assessment. Established best practice states, “If it’s not written down, it’s not happening.” Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language to create consistency among the culture of your organization. Small organizations often question why they need to document how their organization runs, especially if there are only a few people in the company. We think that’s the perfect example of why your organization, no matter the size, needs documentation; what if something happens? Who would know how to securely operate your organization? You need to have the proper policies, procedures, and standards in place to ensure the ongoing continuity and security of your organization.
Creating procedures is where most organizations tend to struggle. A procedure should provide very clear, step-by-step instructions on how something must be done or is to be done. Procedures are instructions on how to run your business. Your organization needs to have this documentation in place to define how to complete tasks securely to ensure the ongoing operation and security of your organization.
Policies, procedures, and standards should be written at a level so that someone with knowledge of the topic could read the policy or procedure and be able to carry out the task that is detailed.
If you need help documenting your policies and procedures or want to learn more about how to write them, contact KirkpatrickPrice or check out our Style Guide to Creating Good Policies and our Style Guide to Writing Good Procedures.
Policies, Procedures, and Standards
Now, I’d like to talk about policies, procedures, and standards. We find, here at KirkpatrickPrice, that a lot of organizations really struggle with the documentation aspect of an assessment. So, we’re going to spend a little bit of time now talking about the difference between policies, procedures, and standards.
At the top of this pyramid, if you would, is a policy. A policy is an executive-level document that defines that something must be done. This is something that’s an edict, that’s a directive by your executive-level management that says “Thou shalt do these things.” The next step down is our standards. What are the tools, means, and methods that you’re going to be using in order to meet these policy requirements? Lastly as part of this, we have procedures. This is where most organizations tend to fail. Having a set of standard policies and procedures is often required. Where a policy defines that something must be done and a standard will define the tools, means, and methods for how we’re going to do it, a procedure defines how we’re going to do these things. A procedure should be very clear in providing step-by-step instructions on how something must be done or how something is to be done. For example, if somebody should go on vacation for a couple of weeks, we would expect them to hand off the policy, procedure, or standards documentation and someone else to be able to carry on that activity securely. These are the instructions on how to run your business.
If you’re a small organization, 2 or 3 people, we often hear the argument, “I’m the only one that does this, so why do I need to document what I do?” Well, I think that’s the perfect example as to why you need to document. What if you’re not around anymore? We need to make sure that we have the processes in place that define how to perform a task securely to ensure the ongoing continuity and security of your organization.
Please review your documentation, please review your audit standards and understand that each of these particular controls often needed and they’re distinctive in nature. As an organization, you can have one monolithic policy set; one policy that has all of the necessary statements. You can have one set of procedures that cover everything in your environment. You can have one document for each; we really don’t care. What we do care about is when a requirement says to demonstrate that you have a policy, we look for the policy. Where there’s a procedure required, we actively look for the step-by-step procedures.
Policies, procedures, and standards should be written at a level that you can hire somebody or give these documents to somebody with knowledge of the specific topic, and that individual could be able to carry that task on. We don’t expect you to be able to educate someone or take them from the ground level to expert level; someone who has knowledge of the topic should be able to read the policy or procedure and perform the task that’s detailed.