This reference page provides a definition and structure for a policy and standards framework. A policy and standards framework is a foundation element to strong processes and good practices within an organization. As part of risk management, one should establish policies and standards to provide guidance and points of control over operational activities to ensure that risks stay within acceptable limits. Often, such frameworks have been built up over time and in reaction to gaps or issues. This haphazard approach can result in serious efficiency and quality issues. Often, standards and policy efforts become too rigid (where standards and policies specify in too great of detail how work should be done and cannot keep pace with technology or markets) or too numerous and confusing (where overlapping policies or procedures conflict with each other or are inaccessible and often out-of-date). By proactively building a framework with thoughtful structures that leverage a quality management approach and best practice operational processes, risk management can be accomplished without wasted cost and and effort. A well-defined framework provides for enduring operating principles while remaining flexible and meaningful to accommodate changing technology, new business needs and improving processes. This reference page provides a recommended template for organizations for organizations to construct a robust and effective policy and standards framework.
The template is composed of multiple layers which cascade from highest governance down to task level guidance. I have found the following definitions to be helpful both to establish a core, guiding framework as well as to easily maintain up-to-date practices and technologies.
Corporate Values: Behaviors established as core to the corporation by executive management and typically approved by the board. These values are expected to be respected and adhered to by all staff and leadership within the corporation (e.g., integrity, customer focus, teamwork, etc). The values set the tone of how personnel behave in business situations. It is appropriate to assess staff on how they fulfill the values and is usually done as a portion of their annual performance review. To bring values to life for employees, examples of situations and how employees handled them successfully based on the corporate values is a key tool in growing a consistent and effective corporate culture.
Policy: A mandatory principle established by senior management and formally adopted by the organization. Policies are intended to drive decisions and actions in alignment with the company’s priorities and strategic direction. Policies should be limited in number and should be directly attributable to those areas requiring explicit governance for the corporation. For technology, policies should define a baseline for the management of technology risk to ensure appropriate practices and outcomes (e.g. Disaster Recovery Policy, Information Security Policy). Policies are also are utilized to ensure a common approach for addressing technology related risk and promote appropriate quality and operational measures (e.g., Technology Architecture Policy). Brief example: The corporation will protect the integrity and confidentiality of the data of its customers and employees.
Standard: A rule or rules that broadly define mandatory and enforceable requirements. As needed, standards also define uniform approaches or limited alternatives to satisfy policies. Well-structured standard statements describe “what’ should be done. It is critical to avoid prescriptive statements of “how” in standards which can lead to excessive cost of compliance and standards quickly becoming obsolete or irrelevant as technology changes. Robust standards provide the definition of the risk classification as well as set the minimum required baseline (in terms of “what”) for the organization. Brief example: Robust information security will be employed to protect customer and employee data.
Recommended Practice The preferred approach for achieving a standard. It should be of moderate detail to enable the architect or designer to understand the method for achieving the standard. Within the organization, recommended practices are the primary vehicle for shared, and continuously maturing, knowledge on how to best meet the standard. It is important to note that each operating unit, and teams and individuals within retain ultimate accountability to meet standards and thus when new situations arise due to technology, business or the particular implementation, the unit is expected to extend and enhance the best practice to meet the standard. Recommended practices should include verifying steps or metrics where appropriate. Brief example: All production systems must maintain robust access management. Further, attempts to gain access to production systems must be logged and retained. Logs shall be reviewed regularly by platform managers. For UNIX systems, minimum configuration settings as well as the logging review report are defined in UNIX Specification 1.x.
Approved Procedure The defined steps for how an organization will perform a particular process within the recommended practice and to meet the standard. Procedures contain step-by-step instructions for a process or sub-process that enables the organization to provide a service. Procedures should contain the operational metrics that enable both operational management and performance and verifying metrics to enable appropriate control. Procedures should be designed with feedback loops on key metrics to ensure adequate quality. Procedures are owned and maintained by the operating unit performing the process or the process owner within the business.
Specification A document containing detailed selections, configurations or settings that can be referred to by Approved Procedures or Recommended Practices. Specifications should be regularly updated with appropriate versioning maintained.
It is important to understand that any risk framework must take into consideration that organizations and technology are not static. Indeed, nor is the very business they are serving. The highest levels of guidance such as corporate mission, values and policies, should change infrequently and only for significant business, market or regulatory reasons. Thus, the highest levels must be written very thoughtfully and must studiously avoid specifics as to how an activity should be performed. Further, organizations should avoid writing policies that overlap with common sense judgement based on a company’s values. Instead, handbooks that explain appropriate behavior in certain situations and give guidance based on the corporate values are far more appropriate then an overly detailed policy which explains exactly what to do or not to do. This serves to reinforce a corporation’s values and properly entrust in staff the ability to apply such values. As for specific methods, procedures and control activities, which will naturally and regularly evolve, they should be captured in more easily updated artifacts than a policy. Further, the same improvement processes that a high performance team utilizes, should govern the the risk management activities where operational data and metrics enable continuous improvement in risk management and outcomes.
The entire policy and standards framework should be published in a highly accessible database that maintains versioning and clearly defines authorship.