The Policy of Policy Development

Good policies address potential threats. If there were an absence of threats, there would be little reason for policies. Organizations need comprehensive policies. A good example is the United States needing policies that address national defense. The state of Colorado does not need a national defense policy, as there are no security threats posed by other states, nor is Colorado in a position to execute treaties with other nations. Nevertheless, Colorado is a significant member of the United States and thereby provides resources to the national defense posture of the whole United States. Unified policies provide a framework for identifying threats and vulnerabilities and a basis for effective safeguards.

Policies are about strategy. You cannot decide countermeasures for information leakage if you do not have policies mandating enforceable countermeasures. For example, you cannot expect 20 software engineers, each of whom is in charge of a small degree of program security, to behave coherently unless there is a unified policy with the same goals in mind. Of course, employees have a policy in mind when they define and implement safeguards, but written policies direct them to a mutual goal.

Every organization needs policies addressing its many functions. Policies should detail who is responsible for policy implementation, enforcement, audit, and review. Policies must contain a very brief explanation as to the reason they exist. Seemingly arbitrary policies delivered from on high with little or no explanation are likely to be ignored completely. Clear, concise, coherent, and consistent policies are more likely to be adopted and followed by the workforce.

Most well-developed policies share many of the same elements. Some are drafted so these elements are specifically identified while others are subtle, requiring a thorough reading and a bit of head scratching.

Some employees will resist policies, regardless of their intent. They view policies as impediments to their ability, restricting their freedom. Sometimes they feel the organization does not trust them and intends to overly govern their behavior. Employees fear that policies will be difficult to incorporate into their business activities or difficult to follow. Managers tend to worry that restrictions placed by policies will adversely impact the organization's morale and profitability. Obviously, the most desirable deliverable goal in policy drafting is the win-win-win scenario. Managers win, employees win, and the organization wins. This strategy requires skill, daring, and terrific delivery.

Team Leadership

Successful policy development teams must have a fanatical executive sponsor. This senior manager needs to be a "true believer." The policy development team needs to have a leader with excellent business knowledge, analysis, management, and communications skills.

Team leaders are able to guide and direct the team's efforts by:

• Asking questions that stimulate ideas and fruitful discussions.

• Using reflective listening skills.

• Directing but not overly managing the team's discussions.

• Developing and fostering an informal and relaxed atmosphere.

• Celebrating the achievement of milestones and objectives.

Policy Team Members

Carefully select the policy development team members. The team development model presented in Chapter 1 is also applicable here. Team members should be selected from relevant business units. There is a decided advantage if members have the ability to write in plain, simple language.

Common Policy Components

All policies must be given an effective date. Effective dates cannot be before the release date of the policy, but prior events can be included as part of the policy statement.

Every policy should be subject to a review or expiration date. This date assures that the policy will be reviewed periodically to determine if it is still needed. In this way, old policies may be updated, obsolete policies can be abandoned, and new requirements can be incorporated into existing policies.

Affected business units or positions should be listed as the policy audience. If the policy is companywide, then it should clearly state this fact; however, if it is applicable to just a few people, then those positions should be specifically detailed. Avoid the tendency to make policies just to impress someone such as a new operations officer or company president. Make policies that matter.

Executive Approvals

Policies should specify which executives approved them. They should be named along with their official title in the policy document. Here are two points on executive approvals:

1. Do not name an artificially high officer who has little relevance to the policy as the authorizing person. This may result in the policy being challenged without a knowledgeable defense.

2. The authorizing officer should be of sufficient authority so that higher-ranking executives could not overrule if the policy were challenged.

Policy Exemptions

Just as important as the body of the policy is the process outlining how exemptions can be requested. If exemptions are not possible, then the policy should state why. It is not important to state the conditions under which exemptions may be granted; just the process for requesting them. It is likely that if you are overly explicit in defining the exemptions, you will receive a deluge of similarly worded exemption requests.

Changes

Policies cannot remain unchanged forever. Successful policies have explicit procedures for generating succeeding policies. In some cases, policy changes are merely a technical review while others will require a full narrative justification, including a process for combining old procedures with newer ones.

Violations

All policies must contain an explanation of consequences when employees violate them. Disciplinary actions can vary from the least level, where a violator's supervisor must acknowledge that the policy has not been followed, to severe disciplinary action resulting in the employee's dismissal and prosecution. The level of discipline must be commensurate with the importance of the policy. For example, a new employee violates a policy that requires e-mail to be used only for job-related purposes. It is sufficient for his supervisor to issue an information reminder about the use of e-mail. However, if a senior employee were to send an e-mail containing obscene language or racial insults, this would likely result in counseling the employee, and depending on the circumstances, suspension without pay or even dismissal. Exhibit 1 is a common format for policy headings.

Exhibit 1: Policy Format

The policy purpose section explains the objectives of the policy. When drafting purpose statements, consider using a consistent opening paragraph containing one or two sentences. Avoid rambling or flowery sentences; the language should be sufficiently comprehensive and concise in meaning. Do not use abbreviations, which abbreviations cause confusion and provide a basis for misunderstanding.

The revision history shows previous revisions to the policy and provides a historical view of the document, showing the policy as it was instituted and how it was revised since that time. In the case of ISO 9000 or the Capability Maturity Model, policy and revision histories are requirements. This section is a good place to set dates for a future review, noting who should perform this review and why.

The affected personnel section identifies the employees to whom the policy applies. It states the users of the policy and should identify the affected persons by business unit positions rather than specific persons by name, e.g., "All server systems engineers" rather than specific employees such as "John Doe."

The next heading, the policy's body, is the most important. In this section, the general attitude of the company, its goals, mission, and vision are reflected. This is the section that should include any clarifying narratives or definitions. All readers should have a common vocabulary if they are going to clearly understand the policy. Avoid stating the policy in part, then referring the reader to another section for the rest of the policy. Regardless of the length, state the policy completely. The whole purpose of writing an easy-to-read policy is to assist the reader to understand and remember the information on the first reading.

Exemption processes should be the next section. State the process by which exemptions may be obtained. Be certain to detail the written format that exemption applications need to follow and specify the position to which they should be submitted for consideration.

Disciplinary actions should be plainly stated in the policy for noncompliance. Accountability, responsibility, and employee empowerment are current management tools that are available in explaining the policy.

Do the Policy Right the First Time

Avoid drafting, vetting, and approving a policy only to discover shortly thereafter that it does not address the problem. Get it right the first time. Policy teams lose credibility and senior management support if they complete the process and need to undo or revise the policy a few days later.

Vetting Policies

We live in a litigious world. Laws, contracts, union agreements, regulations, and international treaties affect the workplace. Policies must pass through an established vetting process where they can be reviewed for consistency and compliance. The complexity of this process depends on the policy, the size of the organization, and the policy's affected universe. At a minimum, these are the parties that should review the policy, making any corrections before it is adopted: affected business units, Human Resources, union representatives, Legal, Audit, Finance, and Executive Committee. Failure to adequately vet a policy might adversely affect the company and preclude it from doing business.