Writing Policies
Monday June 16, 2008 Filed in: Security
Writing effective policy requires more than simply stating what employees are not permitted to do. This article tries to explain some good strategies for creating effective poliicies in your enterprise.
Writing policies really isn’t rocket science (or brain science as my brother in law would say), but writing effective policies that people can read, understand and follow is something of an art. In this article we’ll try to give you some hard won tips from our experiences creating and managing policies in enterprises.
One of the big mistakes that we see people make in creating policies is starting out trying to write a policy. I know that sounds confusing, but let me explain. Quite often we get one person or a group of a few people to create a “draft” policy that then gets reviewed and everyone starts arguing about what it says. In the end the particularly unpopular pieces of the policy that no one can agree on get killed or the entire policy gets scrapped because no one wants to sign it.
Rather than starting out trying to write sentences and paragraphs begin by working with management to define a bullet point list of control principles that the business would like to apply to situations generally. It is good to try to connect these principles to the business objectives of the organization and the risks that can affect the ability of the organization to meet those objectives.
Next, create a bullet point list of what the objectives of the policy under consideration are and align these with the principles that you work with management to create. I would recommend that you circulate this list to the stake holders and management to ensure that they agree that the objectives that you are seeking to meet match their view of what is important and how risks should be addressed.
Once we have agreed on the objectives, create a set of bullets that outline the controls that you want to put into place. Don’t worry about language at this point, just general principles that you need to get across. Next, take both the objective and control bullets that you have come up with to the stake holders and management for their review. At this point you are 90% of the way to being completed.
What we have done so far is addressed the real reason that most policy creation is painful. The problem really isn’t the wording of the controls but most commonly the problem is the actual underlying objectives and controls and how they align and affect the business. By starting at the business objectives and working our way down to the policy control bullet points we have proposed controls that align directly with the business and serve to control actual risk!
The only thing left to do is to flesh out the bullet points into an actual policy. At this point, there may be some wordsmithing and wrangling but we will no longer need to rewrite the policy for every objection.
One of the big mistakes that we see people make in creating policies is starting out trying to write a policy. I know that sounds confusing, but let me explain. Quite often we get one person or a group of a few people to create a “draft” policy that then gets reviewed and everyone starts arguing about what it says. In the end the particularly unpopular pieces of the policy that no one can agree on get killed or the entire policy gets scrapped because no one wants to sign it.
Rather than starting out trying to write sentences and paragraphs begin by working with management to define a bullet point list of control principles that the business would like to apply to situations generally. It is good to try to connect these principles to the business objectives of the organization and the risks that can affect the ability of the organization to meet those objectives.
Next, create a bullet point list of what the objectives of the policy under consideration are and align these with the principles that you work with management to create. I would recommend that you circulate this list to the stake holders and management to ensure that they agree that the objectives that you are seeking to meet match their view of what is important and how risks should be addressed.
Once we have agreed on the objectives, create a set of bullets that outline the controls that you want to put into place. Don’t worry about language at this point, just general principles that you need to get across. Next, take both the objective and control bullets that you have come up with to the stake holders and management for their review. At this point you are 90% of the way to being completed.
What we have done so far is addressed the real reason that most policy creation is painful. The problem really isn’t the wording of the controls but most commonly the problem is the actual underlying objectives and controls and how they align and affect the business. By starting at the business objectives and working our way down to the policy control bullet points we have proposed controls that align directly with the business and serve to control actual risk!
The only thing left to do is to flesh out the bullet points into an actual policy. At this point, there may be some wordsmithing and wrangling but we will no longer need to rewrite the policy for every objection.