Security Leadership and Management

Building Strong Policies for Ongoing Structure and Security

Building Strong Policies for Ongoing Structure and SecurityIn every element of our daily lives there are rules that guide our behavior. These rules come to us in many forms. From the time we are infants, our parents teach us what types of behaviors are acceptable and those that are not. We all remember the dreaded “No” from our mothers or fathers which was usually coupled with a stern look on their face. As we grew up, there were rules at school, and as we learned to drive there were traffic laws we needed to obey. Our world is full of legions of government regulations and laws with which we are expected to comply. We all understand that without rules, regulations and laws to guide behavior, civilization as we know it would cease to exist and we would be cast into a world of utter chaos.

Rules, regulations and laws give us that solid foundation to guide behavior and establish the consequences for failure to comply.  As we entered the working world, things like codes of conduct, policies, procedures and processes were added to our list of things to guide us and to which we were expected to conform.

The outer ring of this graphic identifies key elements of establishing a solid foundation for implementing an Enterprise Risk Management (ERM) based program. This month we are focusing only on the area of establishing policies, procedures and processes.

Our working worlds are filled with complexity, whether you work for a company, an NGO, a non-profit or a governmental entity. Establishing rules of behavior and the consequences for failure to comply are critical to ensuring and maintaining any form of consistency and uniformity of actions across the enterprise. Policies, procedures and processes are necessary tools in defining the day-to-day rules of behavior and the steps that are necessary to get your job done efficiently, effectively and in a consistent manner. 

Some organizations try desperately to create an open and free-wheeling environment in the belief that it will foster creativity and innovation. Somewhere along the way, unless it is a one-person entity, policies, procedures and processes will become necessary. Structure is a critical element to the working environment, just as it is to our everyday lives. Without structure, manufactured products would not be produced in a consistent manner, financial transactions would not be trusted and consistent failures would occur. These compliance failures not only can result in loss of trust in products or services, but can reach a level that breach laws and regulations. Ultimately, compliance failures can result in an erosion of the entity’s reputation and significant liability for not only the entity but also for those responsible.

There are a number of different ways to establish structure within an entity.  We have all seen the proliferation of “Mission and Vision” at the top of the food chain in setting the overall operating philosophy for an entity. Some organizations have a very hierarchical structure, while others expect the individual elements of their organization to establish the ground rules for how to operate in those units. Establishing a set of high level policies that guide behavior and set the general standards across the organization is one of the best ways to lay the ground work for consistency across the entity. In the very hierarchical environment, top level policies are typically followed by procedure manuals for each of the various elements of the organization. This hierarchical approach many times leads to classic stove piping and does little for cross-fertilization of operating philosophies or expectations across the organization.

A more effective, but admittedly more complex, structure to track document change management is embedding compliance or operating requirements directly in each functional area’s operating procedures. For example: one approach is to require Procurement to reference the corporate security manual for guidance on the steps necessary to conduct a due diligence review of a potential supply chain partner. Perhaps a more proficient manner is to embed the steps necessary to conduct due diligence of potential supply chain partners directly in the procurement department manual.

One of the most effective ways to ensure people understand what is expected of them is by creating process flow charts and utilizing yes/no decision trees. The old saying “A picture is worth a thousand words” holds very true in today’s complex world.  

 

This article was previously published in the print magazine as "Establish A Solid Foundation."

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jerry Brennan

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

August 2014

2014 August

In the August issue of Security Magazine, read about the public-private partnerships and the future of DHS with Frank Taylor, sneak a peek at the ASIS 2014 security products, and read a special report on cyber risk and security. Also in this issue find out why America is in desperate need of a CSO and the most common mistakes in Cyber incident response. The security game has dramatically changed since September 11th, read about what enterprises are doing to keep Americans safe and sound.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+