Making Policy
James Bore
I make compliance a painless outcome of good bespoke processes instead of a storming headache of artificial cookie-cutter targets.
One of the most common challenges we come across working with clients who have mature management systems is that they tend to grow.
There's a relationship between managing a management system, and gardening. It's not enough to just constantly plant more and let it grow, as what you end up with is an overgrown mess. Pruning and cutting out parts that are no longer appropriate is more important to a healthy system than planting everything you can think of.
Perfection is not when there's nothing more to add, it's when there's nothing that needs to be removed.
Especially when you're a small organisation like ours this sort of minimalist approach is essential to building a sustainable BMS.
What is Policy?
Part of this challenge is that many don't fully understand what policies are. A policy is a statement of intent, to guide decision-making further. It is not a step-by-step guide to achieve that intent, or a set of controls, or instructions to configure a system. Policies are high level, and while the document that contains a policy may contain other items such as processes, procedures, standards, etc., the policy part should be a high-level statement of intent.
When using templates there's an easy temptation to make sure you have a policy for everything.
Avoid that temptation. Templates are useful, but just because a template exists does not mean it has to be used.
We'll have a number of policies at Bores , but only the ones we have a definite need for.
Looking at a few of the templates that Adoptech provides the basics for (we're running through a lot more, along with our own policies and some combined, but this is already dry and listing dozens of policies won't improve that), we'll select the ones that are relevant for us to have:
Artificial Intelligence Policy ?
Artificial intelligence isn't something we use for business activities. I make some use of it for presentations at community conferences, but our stance at the moment is that we won't use it for any company activities as there's no real benefits in what we do. So, an Artificial Intelligence policy would be pointless.
Business Continuity and DR Policy ??
Business Continuity and DR policy is a different matter. While by our nature we're pretty resilient, and small enough that the incident response team involves the entire company, there's aspects which are useful to document so that we all have exactly the same information available. On top of this, it's one of those that clients ask about in their rather hefty due-diligence questionnaires, so having it well-documented makes life easier.
Code of Ethics Policy ??????
The Code of Ethics policy is a big one for us. Since we're a family company in a very literal sense, every piece of work we do has our family name on it. Both because we're good people, and because we can't weather reputational damage due to ethical violations in the way larger organisations do (naming no names) putting our code of ethics front and centre, and making sure it is rock solid, is incredibly important. This is a must-have, even though it's not one we've ever been asked about and is usually relevant to financially-regulated companies.
Having said that, we do security and technology Due Diligence work for investment firms, and while there's no legal requirement to have a code of ethics for that sort of work, it is relevant.
Complaints Policy ??
I'm pleased to say that we've never received a client complaint.
If we did though, we want to make sure it is handled well. Given our size that's challenging, but we can at least put some good practices in place such as making sure someone relatively independent can handle it, and that it gets real attention rather than falling through the cracks.
Visitor Security Policy ?
This is one we've had conversations about with clients before.
We don't have a premises, instead we're fully distributed. As such, we go to client's offices rather than the other way around, and don't really have visitors. Since we're mainly working from personal premises, applying any visitor policy would cause more than a few problems with non-business guests.
That doesn't mean it's not a control we'll ignore later in the process, but a visitor security policy is not a reasonable or rational response given our circumstances.
Templates or Custom?
With most of the policies, they're largely based on pretty standard wording which we'll customise as needed. At this point, any policies are going into draft forms, not approved. As we go through there'll be a number of edits and changes, until we sit down to run through everything at the end.
Next, we'll be going into risk management to refine things further.
Timely article, James Bore... how would you suggest resolving conflicts in poiicy creation/change discussions?