People by nature don't like to be told what to do. Most people would rather be told what needs to be done and left to their own devices to produce the end result. That approach works fine if you are an organization of one. Bring in another person and suddenly things start to get done differently by each person. Those differences only get multiplied as an organization grows. Well-run organizations develop policies, procedures, and standards as a mechanism to help ensure safety, security, consistency and operational efficiency.
Policies
Simply put, a policy is a statement about what an organization will do in relation to a particular aspect of the business. A policy typically contains a version, a statement that addresses the objective or purpose of the policy, background information, who the policy applies to within the organization, the actual policy statement, enforcement options, change tracking, definitions, and references to specific security or compliance frameworks.
You can see that the policy document has a structured format, addresses a specific issue in a manner that sets expectations and references a specific procedure to be used to accomplish the outcome. A well-run organization should have governance processes in place across various teams that cover the policy management lifecycle. The number of policies managed by an organization depends on many factors including organization size, geographic location, number of locations, regulatory requirements, compliance requirements, risk tolerance, customer requirements, supplier requirements, and stockholder or board requirements.
Policy needs apply to many different departments within an organization and have differing applications and scope. Some policies may be broadly applicable to all employees within an organization. Other policies may apply to only a small group of people with a specific role within the organization.
Policies are critical in helping an organization maintain operational efficiency, setting expectations for employees, vendors and customers, and providing the guardrails needed to operate legally and safely. Unfortunately, many organizations document policies very well but fail in the critical step needed for success. That step is policy execution. Having a policy simply to be able to present a document to an interested party doesn't accomplish anything. The real effectiveness in having policies is in their distribution to the impacted parties and gathering proof that the policies are being implemented. The proof that we gather are known as artifacts. These artifacts are produced through the recording of the execution of procedures and often serve as evidence that is provided to auditors and others as a means of demonstrating the effectiveness of the policies and procedures. Artifacts are sometimes called audit evidence.
Procedures
While policies describe what gets done, procedures describe how things get done. A procedure typically contains a version, a statement that addresses the objective or purpose of the procedure, background information, what the procedure applies to within the organization, the actual procedure, enforcement options, change tracking, definitions, and references to specific security or compliance frameworks. Procedures contain enough detail so that those implementing the procedure can execute it. Procedures should be technology agnostic to the degree possible. For instance, a procedure might reference the particular use of a specific third-party service or software but would refrain from referencing specific versions. Another example may reference the use of TLS encryption but avoid specific details regarding TLS versions and ciphers. Specific details relating to implementation of technology should be outlined in standards documents which are referenced in the procedure documents.
Standards
A typical standards document will follow the same format and provide details relating to what is implemented within procedures. Keeping policies as a high-level overview that define the "what" means that policies change very little over their lifetime. Procedures are a bit more prescriptive and may change more frequently but limiting references to very specific technologies helps reduce the amount of change. Standards documents are brief descriptors that define specific technologies, implementations, and other minimum technical requirements. These documents change regularly to reflect the current implementation of technologies used in procedures.
How This Impacts Security
So what? How does all this impact the security of an organization? Security is the reduction of risk to a level that is acceptable — in this case a level acceptable to the organization based upon the organization's risk appetite. Risk is reduced through the implementation of controls. Controls can be technical or administrative. Each of these types of controls can be preventative, detective or corrective.
Technical controls operate on physical systems in a predictable and controlled manner. Examples include badge scanners, firewalls, antivirus, and cameras. Some of these are preventative — they block or prevent bad things from happening. Some of these are detective — they monitor actions that occur. Some of these are corrective — they are put in place to correct a previously uncovered weakness.
Administrative controls are put in place to serve as the framework and guardrails for the operation of an organization. These include corporate policies, procedures and standards. All serve to communicate acceptable and unacceptable activities across the organization. Administrative controls can also fall into any of the three types of controls mentioned — preventative, detective, and corrective. The main difference is that these controls are implemented at the people level and not through technical means.
Both administrative and technical controls can fall into more than one category of control. Some fall into all three categories.
Every security framework is based upon the implementation of proper organizational controls. In fact, SOC stands for Service and Organizational Controls. Policies, procedures, and standards are the foundation of these frameworks. These critical documents define what's being done, how things are done, and using what tools and standards. Having a solid set of foundational policies, procedures and standards allows the organization to communicate with internal and external stakeholders in a consistent and trackable manner with the benefit of having understandable, repeatable processes that produce consistent results.
Without developing a clear set of operational policies, procedures, and standards, an organization has little chance of success, will be unable to sustain growth and will not be able to sustain any measure of safety, security or quality. Additionally, the organization will have a tough time building stakeholder trust. This lack of trust will be noticed by prospects, customers, and employees and result in long-term irreparable damage to the brand and ultimately the bottom line.
Developing and implementing policies, procedures and standards may seem like nothing more than busywork but organizations that embrace this process in a meaningful and effective manner position themselves for long-term success. Quality, safety and security are improved. Repeated review of policies, procedures and standards allows an organization to continually improve and optimize. Ineffective policies are removed, new policies are created based upon the changing landscape, procedures are improved, and best-practice standards can be implemented to take advantage of better and more effective ways to reduce risk. Organizations that take these steps are proactively addressing new risks to the business resulting in a more effective overall security program.