You must have a formal, structured policy framework in place. Policies are developed to assist in promoting appropriate behaviour in specific circumstances by persons within an organization. In the past, the need for documented procedures was perhaps less necessary in many organisations, but due to the increasingly rapid changes we are experiencing, often driven by the adoption of modern information and communication technologies in our business processes, the need for clear guidance to ensure consistency and appropriate behaviour has been heightened.
Unstructured, unilateral and unspecific policies have generally proved ineffective as mechanisms for promoting appropriate behaviour, managing activities and reducing organisational risk. They have led to inconsistent and often inappropriate behaviour. Often this not as a result of malice or a lack of diligence on the part of persons employed or engaged by organisations, but simply as a result of a lack of knowledge and understanding.
On the other hand good policies based on well-structured approaches that make it easy for employees and third parties to understand the governance and management approaches adopted by an organization improve awareness and appropriate behaviour because targeted audiences only need to reference the document that is applicable to them and not lengthy detailed documents that address issues irrelevant to them.
Despite this, there are many organisations that don’t have a formal, structured policy framework in place. To enable good policy development a formal, structured approach to drafting is advised. This will promote the consistency in look, feel and language that makes policies and the documents supporting the policy (procedures, standards and guidelines) more easily understandable and easy to read. It also allows policies to be developed that are aimed at specific audiences.
Clients often ask us to update or review a policy and the first question we ask is do you have a policy framework. There are several approaches that can be adopted and if they are consistent, work well within an organization and result in the outcomes of informing and continuously improving the behaviour of persons employed or engaged by the organization, these should be adopted. Our experience is, however, that often this is not the case and the result is poor policies that fail to meet these objectives.
You need a structured policy framework
There is no information security policy standard and no general consensus as to what policies or how many should be in place, nor is there general consensus on policy design or content. Some organisations have a single generic document which combines policy, guidelines and standards (the combination approach), whilst others have multiple policies, guidelines and standards documents.
We advocate an approach that aims at the development of policies containing concise policy statements defining the principles that must be respected and complied with. We also favour short policies that are consistent in style and format that make finding appropriate policy statements easy. Hypertext linking can and should be used to cross-reference policies.
Developing policies in this manner enables policies to focus on policy statements relevant to specific groups within or external to an organization. This has the advantage of audiences not having to read irrelevant material.
The policy statements need to be supported by more detailed procedures that have been developed or adopted by the organization, or standards that the organization believes establish the minimum measures that must be achieved. Typically, policy, procedure and standards are mandatory. A policy may, however, also be supported by guidelines that enhance the awareness of readers of the laws, rights of third parties and business requirements that demand compliance with policy statements. Guidelines are often developed with awareness and training in mind.
Perhaps this is illustrated by reference to Data Protection law.
- Policy: The Constitution expressly and very concisely stipulates that “Everyone has a right to privacy… which includes the right not to have the privacy of their communications infringed”. This can be equated to a concise policy statement that we seek to include in our policies.
- Procedure: In order to ensure that the constitutional right of privacy is protected it was necessary to draft a law, the Protection of Personal Information Act (PoPIA), that supports this statement by, among other things, setting out in significantly more detail the conditions or principles that need to be adhered to in processing personal information. This can be equated to the procedures that we need to document to support a policy statement.
- Standards: In PoPIA one of the principles governing lawful processing of personal information is that we must safeguard the confidentiality and integrity of personal information. To do so we may consider external standards that have evolved and provide benchmarks and control measures for that it is recommended be implemented to establish and maintain appropriate safeguards. These standards include, as an example the ISO 27001, ISO 27002 and ISO 27701 standards that address Information Security best practice. The standards can be equated to the standards that we may choose to benchmark the minimum requirements we wish to achieve to comply with procedures.
- Guidelines: Even comprehensive legislation such as PoPIA and standards such as the ISO 27000 suite of standards, cannot address every instance of processing information that exists or may evolve. Often the standards are technical and complex and we develop guidelines that assist in developing the understanding that we require from persons to whom the procedures and standards apply. The guidance that is provided in the Michalsons programmes is a good example of a general guideline, but typically it too needs to be customized to the needs or an organisation if optimum benefit is to be achieved.
The need to clearly differentiate between policy, procedure and standards is emphasised by the ISO 9000 Quality Standards for the preparation of internal documentation. For example, these ISO standards expressly state that policies must be separate and distinct from procedures.
Policies that are successfully implemented:
- follow a document hierarchy;
- take into account the organisation’s own identified risks and business needs;
- identify and develop procedures and standards that support the policy statements;
- are compatible with the organisation’s culture and are thus more likely to be accepted and supported;
- are aimed at different audiences; and
- are kept up to date.
Typically, such a framework would include a document hierarchy. The following types compromise the document hierarchy that may be adopted:
- Charter: (or mission statement) a concise document positioned at the top of the hierarchy that forms the capstone of the policies, presents the organisation’s philosophy and establishes a management mandate for and commitment to implementing that philosophy. This is sometimes given the name of a Governance Policy or Resolution depending on who “owns” or is responsible for policy statements.
- Policies: Policies are an agreement between a group of persons (eg. employees of an organization or different functions within an organisation) to behave and act in a defined way. It is preferable for policies to address specific issues defined by their purpose and the group that it wishes to address (often referred to as the “audience”). This results in greater focus being achieved and readers being required to read only what is relevant to them.
- Procedures: provide detailed mandatory steps (sometimes in the form of a checklist) to be followed to achieve a recurring task (for example granting access to information, assigning privileges, running daily backups and updating firewall rules).
- Standards: these specify mandatory, uniform uses of specific technologies, configurations and procedures. An example is the ISO 27000 suite referred to earlier. However, there can be standards that are specific to an organization. For instance, a standard agreement or standard clauses used in an agreement are by their nature “standards”.
- Guidelines: provide additional (optional) advice and support for policies, standards and procedures, as well as general guidance. These may suggest various manners of securing electronic records (access controls, passwords or encryption that may vary depending on the sensitivity of information) or recommendations on different software tools that can be used to manage data protection (eg Microsoft Compliance Manager or Trustarc). This module is a guideline that will assist in policy development.
Audience-driven approach to a policy framework
Generally, policies are directed at several significantly different audiences because each audience has to know about different aspects of issues addressed in policy.
Some policies are intended to address all or most of the persons employed or engaged by an organization. For instance, an Acceptable Use Policy may be required to ensure consistent and acceptable use of ICT and information processed using the ICT. This would typically apply to everyone from the CEO to the most junior person as they all use ICT and process the information in one form or another. All persons who have access to the ICT would have to understand what access controls are in place. Only a few may have remote access privileges so only those few may be subject to a Remote Access Policy and need to understand their obligations to protect the ICT and information remotely from the protections inherent in processing the information at work.
If a third party not employed by an organization is to be subject to a policy, agreement of the third party will have to be obtained. As non-employees are not subject to employment law and disciplinary process that may be established by an organisation, the agreement should contain contractual provisions that outline the remedies and sanctions that the organization can impose if the policy (or procedures and standards supporting the policy) is breached.
The drafting principle that a policy statement should be concise should be adhered to. The flexibility and detail required to address different requirements can be addressed in procedure and business-related standards. This is always subject to the requirement that a procedure or standard can be more stringent than the policy statement it supports but never less stringent. For example, the Policy statement may be that the “The confidentiality of electronic records that are communicated by email is safeguarded”. The default procedure may be that no electronic records can be emailed externally as an attachment unless it is password protected. The procedure governing special or children’s information may require that the electronic record is encrypted. These would both comply with the policy requirement. However, a procedure that allowed an electronic record to be transmitted in msWord or PDF form that can be opened by anyone or intercepting the email, falls short of the policy statement.
Policies and policy statements
Policies are a grouping of policy statements that relate to one another and are aimed at a specific audience.
Some may prefer to refer to a Data Protection Policy as an overarching policy that sets out an organisation’s policy on data protection. If only extracts from a policy limited to a few policy statements are used, particularly if addressed to an external audience, you may refer to this as a Policy Statement. For instance, an organization may choose not to publish all of its Data Protection Policy but only the principles applicable to a website or applications available through the website and refer to this as a Privacy Statement.
There are no mandatory requirements on using terms in developing policy (unless stipulated in a glossary), but it is wise to ensure that the term is consistently used. If your choice is to use the title “Policy” as opposed to “Policy Statement” in external-facing publications, then you should do so. Just don’t do this inconsistently as it will cause confusion.
Glossary: Whats in a name?
While it is good to consider the usual usage of words or terms, the guiding principle should be what will be best understood by the audience. If there are terms that are industry or organization-specific and well understood by the intended audience, use that term or word. It is recommended that a glossary of terms be developed and that these are consistently used in the policies, procedures, guidelines and business standards that you develop. The glossary should be easily accessible. A glossary eliminates the need for definitions being repeatedly developed as reference can be made by both drafters and persons reading the relevant material.
Characteristics of good policies
Generally, issue-specific policies are:
Easy to read
In the fast-paced information economy in which we live, people are pressed for time and will generally only read things that are relevant to them. The policies should therefore be in plain language and focused on particular audiences (typically end-users, management and technical staff) addressing only those issues that are absolutely needed and that focus only on the essentials. Addressing a policy to multiple categories on readers makes it hard for the reader to find relevant information. For example, they might have to sift through a whole lot of rules before getting to the relevant rule relating to their email use.
Easy to rely on
Where one has issue-specific policies, it is easier to support the policies with procedures, standards and guidelines that assist in promoting compliance – something which is difficult to do with “bundled” policies as the issue is that procedures, standards and guidelines are typically very lengthy, often come across as “clumsy” and it is not clear which issue they pertain to (for example, email guidelines relating to for example retention of email records, purging of email, technical email restrictions would bear no relevance to Internet-specific guidelines).
Easy to manage
Problems that arise tend to relate to issues and if those problems are recorded on an issue by issue basis, then it is easier to update the issue-specific policies when reviewed annually. The lengthier or more wide-ranging a policy is the more people need to be consulted and required to review revisions. This is often time-consuming and leads to unnecessary consultation and debate.
Easy to implement
For purposes of education and awareness, it is easier to convey key messages as they relate to issues contained in the issue-specific policies. Furthermore, for purposes of assigning information Owners, Custodians and users, it is only possible to do so where such assignment takes place in relation to specific issues.
Easy to rely on in a court of law
One of the essential guidelines in cases of dismissal for misconduct (in terms of Schedule 8 of the Code of Good Practice to the Labour Relations Act of 1995) for determining whether a dismissal or misconduct is unfair is “(a) whether or not the employee contravened a rule or standard regulating conduct … the rule was a valid or reasonable rule or standard … the employee was aware, or could reasonably be expected to have been aware, of the rule or standard … the rule or standard has been consistently applied by the employer“. It is not possible to demonstrate “validity“ or “reasonableness“ if the relevant “rule or standard” is contained in a guideline (which is optional or non-mandatory) rather than an issue specific policy procedure or standard (which are mandatory). More importantly, however, is the fact that an employee might be able to raise the defence in a disciplinary enquiry that there was in fact no “rule or standard” as (if it is contained in the guidelines) the rule is merely optional and does not have to be followed.