Policy and Procedure Management

Policies and procedures make up the backbone of successful security organizations. Policies set organizational direction and procedures explain exactly how critical tasks are to be executed.

Because policies are intended to set direction, they have a couple of key characteristics. First, most policies should be determinative or use determinative language. They should use words like shall, shall not, must, most not, or will. They do this to very clearly tell readers what is and is not permitted behavior. Clearly telling readers about expected behaviors is the second characteristic. Policies are essentially listings of permitted or un-permitted behaviors that serve as security controls themselves. Just like a firewall is intended to block malicious traffic, policies are intended to be preventive controls telling users that certain actions are or are not allowed.

Procedures, on the other hand, are meant to be tactical documents that tell employees how to perform specific tasks. Many times, procedures are actually written by non-GRC personnel to support day-to-day activities. What is important about procedures is that they sometimes support policy. In fact, nearly every policy statement should have a procedure which details how to accomplish the behavior the policy wishes to enforce. For instance, if an Information Security Policy requires that user permissions are strictly controlled, there should be a procedure as to how the organization goes about controlling those permissions.

While non-GRC personnel often write procedures, GRC staff do write a tremendous amount of policy and write and assess policies and procedures. When writing or assessing a policy, governance professionals should keep 4 things in mind. Policies should be:

• Clear in purpose
• Clear in scope
• Non-tactical and concise; and
• Determinative

Like any control, governance professionals should ensure that procedures meet the needs of a control objective in function and in time.