As a public safety officer, I was once tasked with writing instructions for loading pre-connected hose lines on fire trucks. While a straight forward task, a mistake or simple misunderstanding by a firefighter could have serious consequences, delaying rescue and/or getting water on the fire. Writing clear step by step procedures was a challenge and also great training, especially when the procedures would be tested on the fire academy training ground.
I have been engaged in policy and procedure development for security, safety, environmental, and chemical management functions since 1981. I believe I have learned a few things:
Clarity and Enforceability – keep it simple and straight forward, not only to help employees understand the rules and guidelines, but to enable enforceability for violations of company policy, a key concern today of Human Resources. How well will the policy stand up in court?
Consistency in Format and Template – Following a consistent template for all policy and procedures makes it easy for employees to find the information they need and enhances their understanding of requirements.
The Distinction between Policy, Procedure, Standard and Guideline.
Definitions based on NIST (National Institute of Standards and Technology) and SANS Institute standards include:
- Policy – A policy is a system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedure or protocol. Policy is generally drafted to foster enforceability.
- Procedure – A set of business processes, activities and tasks that, when implemented, contribute to accomplishing a policy goal. Procedures are often step by step instructions and are drafted to be enforceable.
- Standard – A document that provides requirements, specifications, or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. Often a minimum standard that must be followed.
- Guideline – Recommended practice that allows some discretion or leeway in its interpretation, implementation, or use.
The Policy Catalogue – How does a company make it easy for employees to find the policy and procedures they need? During a project last year, we conceived the idea of a “Policy Catalogue”, a well indexed online document that contained all IT policies and the subordinate procedures, standards, and guidelines for each policy. The catalogue Table of Contents, in one quick glance, showed not only where to find what was needed, but how the whole policy system was organized.
Don Greenwood & Associates, Inc. has an extensive library of asset protection and security policies and procedures, as well as model security standards, manuals, and post orders. We also have a well catalogued collection of IT governance and IT security policy, procedures and standards. For procedure review and development ideas, contact us at firstname.lastname@example.org.