Document View

Writing policies may seem easy, especially if the security manager has researched benchmark samples or if the company already has policies in place that just need updating. In reality, writing policies that are effective, enforceable, and accepted by management and employees is difficult. To develop good policies that enhance rather than hinder the business, it helps to understand how policies differ from procedures and to know the key components to be found in effective policies. The first step in policy development is to ensure that a valid need for the policy exists. Company culture should also be considered during the development process. Employees and managers at all levels will be most likely to support a policy that makes sense, is easy to follow, and minimizes interference with getting the job done.

FOUR YEARS AGO, the author's company was in a growth phase. Management had plans for significant expansion of the employee population, which would also lead to a corresponding increase in the number of laptops issued. The security department had noticed that laptop theft was on the rise, and it knew that the problem would only worsen if nothing were done. An effective laptop security policy was needed.

To achieve that objective, the security team gathered evidence of the problem and presented management with convincing proof of the need for a policy and with specific recommendations for a solution. With management's support, security implemented the program over the following six weeks.

THE LAPTOP THEFT prevention program, which requires employees to secure their laptops when not in use, was announced to employees in a companywide e-mail. Under the program, every employee with a laptop is given a cable and lockdown docking station with which to secure the portable computer.

During the two weeks before the program was implemented, if an unsecured laptop was observed, the security department left friendly reminders. The Friday before the program went into effect, the department sent another reminder e-mail message.

In addition, good laptop security practices are listed on the security department page on the company intranet, including a list of lockdown devices that are company approved, the procedure for obtaining one, and instructions on how to report a theft. (This information is also provided during new employee orientation sessions, mentioned in security presentations, discussed in the security newsletter, and displayed in posters.)

Under the program, any unsecured laptops spotted by patrolling officers are removed for safekeeping. Officers use a two-part perforated card to document the incident. One part, which is attached to the machine by the officer, contains identifying information such as the number of the office where the laptop was found and the name of the employee whose laptop has been found unsecured (if the officer knows the name).

The second part of the card is left

conspicuously on the desk and informs the employee that he or she must personally retrieve the computer from the security office. Managers who have had their computers picked up are not permitted to send administrative or executive assistants.

Some employees are agitated when they arrive to pick up their laptops, but most have a positive view of the practice when they leave. As the employee signs for the laptop, a security officer politely explains the financial and operational losses that can result from computer theft. The employee is also furnished with a laptop security information sheet and asked if assistance is needed with obtaining or using a lockdown device.

Managers, from the CEO down, have supported the policy. And it has proven its effectiveness. It is now rare for a laptop to be found unsecured, and thefts have all but disappeared.

WRITING POLICIES may seem easy, especially if the manager has researched benchmark samples or if the company already has policies in place that just need updating. In reality, writing policies that are effective, enforceable, and accepted by management and employees is difficult. To develop good policies that enhance rather than hinder the business, it helps to understand how policies differ from procedures and to know the key components to be found in effective policies.

Policy vs. procedure. A first step in writing policies is agreeing on what a policy is and how it differs from a procedure. The two terms are often used interchangeably, but they are in fact quite different. Simply stated, a policy lays out what management wants employees to do, and a procedure describes how it should be done. Policies are normally succinct and broadly state what is required. They set a standard to abide by. Meanwhile, procedures describe exactly how to carry out the policy and contain much more detail.

For example, most companies probably have an access control policy that requires visitors to sign in, receive a badge, and be escorted at all times. A copy of the policy is issued to all employees or is available on the company intranet. Meanwhile, the lobby desk procedures will describe what identification is required, which badge to issue, what instructions to issue to the visitor, and perhaps how to retrieve the badge when the visitor exits. Distribution of the procedures would not normally extend beyond the security department and any other staff involved in implementation, such as the person who handles the front desk.

A winning policy. The following components will increase a policy's chances of being followed.

Need. The first step in policy development is to ensure that a valid need for the policy exists. The manager should first ensure that the issue is not already adequately addressed elsewhere in existing policies. If the company already has a building access policy, for example, is a separate contractor access policy really needed? The answer to this question will be decided by the company culture, operational requirements, and the scope of existing policies. Perhaps a simple addition to an existing policy will fill the void.

Culture. Company culture should also be considered during the development process. Corporate attitudes toward policies span the spectrum. On one end of the scale are companies that have a policy for everything. At the other end of the spectrum are companies that only have policies required by law. Most companies fall somewhere in between these two extremes. The manager writing any policy needs to understand where on the spectrum the company falls and how the policy can be made to fit the culture to enhance compliance.

Stakeholder participation. Employees and managers at all levels will be most likely to support a policy that makes sense, is easy to follow, and minimizes interference with getting the job done. The best way to get such a policy is to have all affected parties involved in the development process. Not doing so is a frequent downfall when it comes to implementation.

Support can also be enhanced if the policy's impact on the company is clearly explained; the impact that will be most meaningful to managers is the financial loss that can result from failing to implement the policy.

Consider, for example, a pharmaceutical company with a high theft rate for laptops that contain sensitive information. Perhaps to curtail the thefts, security would like to establish a policy that the laptops should be secured with lockdown devices when in the office (as in the author's experience already described). To sell this policy, which might encounter resistance because it creates an inconvenience, security might point out to the relevant stakeholders that the loss of computers far exceeds the cost of replacing the laptops; in fact, if sensitive information falls into the wrong hands, it could cost millions in lost sales.

Stakeholder participation is particularly important when policies cross functional or departmental lines. For instance, a policy addressing access to a secure network monitoring center is important to more than the staff and management of the monitoring center. Other departments or functions that have a need to enter the secure area might include facilities personnel who must perform routine, emergency, and preventive maintenance; janitorial staff who empty trash cans, dust, and vacuum floors; and technicians who service computer equipment, copiers, and fax machines. Although the monitoring center manager may be the approving authority for access, the security manager can avoid future problems by facilitating a cross-functional meeting to discuss access needs.

Consider the manager of a secure area who does not want anyone other than his staff to have unescorted access to the area. The area is staffed 24 hours a day, but there are reduced staff levels after normal business hours. To comply with the escort policy, the manager insists that the trash be emptied during the day when more monitoring center staff are present. But the cleaning supervisor does not have adequate day staff to empty the trash during business hours; when told of the manager's demand for daytime pickup, he replies, "if they want the trash emptied then, they can do it themselves."

If the security manager brings all the players to the table, these issues can be addressed proactively. Options that could be considered in this case might include giving select cleaning staff unescorted access, placing trash cans outside of the secure area at the end of the business day, or agreeing to fund additional daytime cleaning staff.

Simplicity. When it comes to writing the policy, it's best to strive for simplicity. Security professionals, especially those with a military or law enforcement background, should guard against the use of jargon from those fields in the corporate world. Similarly, policies authored by technical professionals may contain too much "technospeak" for the lay end user.

The value of a policy will not be measured by how many definitions must be learned to interpret it. For instance, in the case of a policy that states "The use of PPTP, IPSEC ETP, and GRE to circumvent network security is prohibited," a simpler version of the same concept might be "the use of tunneling protocols to circumvent network security is prohibited."

Components. The written format of a policy will follow a company standard, but most policies include the following major sections:

* The policy name. This should be self-explanatory, but care must be taken to ensure that the policy name makes it easy for the user to locate. For example, the security department may write a policy titled "access control" that gives guidance to employees on lobby hours, the requirement for displaying badges, and use of card reader doors, even though the IT department already has a policy by that name that governs access to the company's firewalls. This could cause confusion among employees, so perhaps "facility access" would be a better name in this instance.

* Definitions. This section should be reserved for defining technical, professional, or legal terms, such as trusted user or force majeure. It should not be necessary to spend valuable time defining such terms as company identification card.

* Scope. This section will usually define the policy parameters, including those to whom the policy applies. Any exclusions would be listed here. For example, a company's information classification and handling policy might state: "This policy applies to all company proprietary information with the exception of government classified documents, which are governed by separate policy and Department of Defense regulations." Other issues when considering the scope of the policy are whether it applies globally or just to domestic operations; whether it includes contractors, employees, or both; and whether it applies to specific departments or employee groups in the company.

* Policy provisions. The meat of the policy is in this section, which usually consists of a general policy statement, what compliance entails, what is prohibited, reporting requirements, and sanctions for violating the policy. For instance, a company identification policy might include provisions such as: identification must be visible on the outer garment at all times, the badge remains the property of the company, and the badge may not be altered in any way, such as by adding stickers or other decorations.

* Responsibility. This section will outline the specific responsibilities of stakeholders. Using the example of a policy governing access to a secure area, a policy might state: Security is responsible for administering the badge request process, programming authorized user cards, and furnishing regular reports to the approving manager The manager responsible for the secure area is responsible for approving access based on need, reviewing access reports, and notifying security of any discrepancies or issues. All authorized users are responsible for complying with the secure area access policy and other policies established to protect company assets and information.

Beyond the major sections, other information that is present in most policies includes the date the policy is written or revised and the policy number if a numbering system is used. Again, exact components and format will be determined by the company culture and practices.

Marketing. Security is a learned behavior. An effective awareness campaign may include bulletin board reminders, desk drops, a "Security Corner" in the company newsletter, and security presentations to employee groups. In terms of avenues for raising attention, the security manager is limited only by his or her own creativity.

Tools. If management expects policy compliance, it must provide employees with the means. For instance, a policy mandating that employees visibly display the company badge above the waist is useless if the security department furnishes only retractable reels with belt clips.

In the case of the laptop security program at the author's firm, employees were given lockdown equipment because the company realized that staff would be more likely to comply with the security program if they were furnished with the proper security devices. The security department keeps a small supply of spare cables on hand in the event that an employee loses one. Also, security officers are well prepared to address any questions regarding the use of the locking devices.

Having the right equipment for the job is also important. The author's company experienced a higher compliance rate when laptop security cables were changed from a keyed lock to one with a user-programmed combination because users no longer had to worry about losing the key. Employees also like the system because they can choose their own combinations.

Safety considerations are another issue. Electricians and mechanics, for instance, have an obvious aversion to things hanging from their clothing, so issuing them armbands for their badges might increase compliance with a badge policy.

If a policy requires that reports be filed, security should provide a report template either as hard copy attached to the policy or in a digital format available on the company intranet to ensure that the information requested is received in the desired format.

For some policies that require more explanation, security may want to develop a "manager's toolkit" that contains an executive summary highlighting important policy points and a short PowerPoint presentation. Managers can use this package at staff meetings to explain the policy or to raise awareness of it.

Measurement After a policy has been implemented, its effectiveness must be gauged in some way. Only by measuring the compliance rate can a security manager identify the trends for noncompliance.

Measurements need not be complicated or time-consuming. In the author's company, for example, compliance with the requirement for wearing company identification badges is measured periodically by posting a security officer at the cafeteria entrance. The officer is simply there to count how many employees pass through and how many are wearing their badges, not to take names or challenge those not wearing their badges. Measuring the compliance rate helps the security department determine whether awareness efforts are working.

Sometimes measurements reveal that the policy needs to be updated or eliminated or that it is defective. A high rate of noncompliance should cause security to reevaluate the program.

Employees are naturally resistant to any corporate rule because it represents a potential barrier to getting the job done. But security can reduce resistance by assessing needs, working with stakeholders, providing the required tools, and keeping it simple.