SlideShare a Scribd company logo

How to Write Good Policies

Murray Security Services
Murray Security Services

Policies outline organizational expectations and goals to reduce risk. Effective policies are: - Approved by executive management for enforceability - Written clearly for the intended audience - Periodically reviewed and updated as needed - Include an accountability statement to ensure compliance

Business
1 of 5
Download to read offline
How to Write Good Policies Policy Elements to Consider for Your Organization August 30, 2013 CyberTears.Org Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A © Copyright 2013 – Murray, Shawn P. Note: Author maintains full ownership; however, this article can be freely used and distributed as long as the author is properly referenced.
Introduction One of the most inexpensive countermeasures we can deploy in our organization is an effective security policy. There are different thoughts regarding policies that can be debated; however, the focus of this article is to outline some basic elements which should be considered when developing policies in general. Policies in general, are meant to articulate the organization’s expectations or express specific behaviors, achieve goals or identify actions to be taken given a specific scenario. Generally, when the organization believes something fits into the above criteria and is important enough to write down, it is presented in a document usually referred to as a policy. Effective policies can reduce the risk associated with employees damaging property, conducting their jobs safely and efficiently or harming the reputation of the organization overall. A BIT ABOUT THE DIFFERENCE BETWEEN POLICIES, PROCEDURES, STANDARDS AND GUIDELINES There are differences in how an organization uses various written tools to meet organizational objectives. Many use policies, procedures, standards and guidelines. There are other tools; however, these are the most used in a given environment. There are relationships between the tools as identified below. Policies Policies are normally high level organizational documents approved by executive management. Policies that are not approved at this level are challenged with enforceability. Policies are important for the organization’s success and should meet organizational goals that align with the mission or overall business strategy. Procedures Procedures are specific and detailed instructions or tasks that should be followed without deviation and allow an individual or group to meet a specific standard. Procedures compliance is mandatory for ensuring uniformity and accuracy and for controlling an expected outcome. They should be periodically reviewed for effectiveness. Standards Standards define mandatory requirements that should be followed by all. If we didn’t have standards, then we would have too many commonly used proprietary products that are made differently (think about electronics, automotive parts and 2
engineering principles). Well known standards authorities include the International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) and National Institute of Standards and Technology (NIST). Guidelines Guidelines are developed as guidance for implementing standards. Think of them as general instructions that should be followed to meet the mandatory requirements for the standard. In the absence of a standard, guidelines also can provide advice to one making decisions to meet organizational objectives. This would reduce the risk of not following some type of process to meet the objective. Guidelines are not normally mandatory. Elements of a good policy The following elements should be considered when developing your policy: Cover page, Title page - The cover page or title page should state the policy name and current version of the policy. It should include a control mechanism like a policy number that is more easily tracked for administrative purposes. The name of the company and executive branch within the organization should be identified on the cover page as well. Example: CyberTears.org, Office of the Chief Information Officer, Cyber Security Division Document control page – The document control page has various names “Document History”, “Document Change Page”, etc. The purpose of the document control page is to track the historical record of the policy. It is properly titled and a table inserted with basic revision history information like version number, release or approval date, summary of changes, section number or paragraph numbers (that may have been updated) and a user identifier that indicates who made the change(s). The first entry on the document control page should be the initial release. If a periodic review is required, it would be identified here as well even if no changes were made to the document. Plain and Simple – Most policies should be written in plain and simple language that is easy to read and understand. Avoid excessive use of acronyms and spell them out the first time if you have to use them. Technical or legal policies can be verbose and difficult to read. Have an editor review your policies to ensure they are appropriate for the intended audience. Executive buy in – It was mentioned earlier in this article that policies should be approved by senior management. This is crucial for the policy to maintain effectiveness. When a policy is not supported by management then it is difficult to enforce and becomes 3
ineffective or irrelevant to the success of the company. There should be a clear message to the organization that upper management approved and fully supports the policies that are developed. This should be articulated in the policy as well. Policies should be reviewed periodically to ensure they still align with the organization’s overall mission and business strategy. If a policy no longer aligns to ensure an organizations success, the policy should be updated or removed. Some policies should be reviewed for currency by subject matter experts to ensure they comply with federal or state laws, examples of these types of policies include human resources policies, environmental and safety policies and policies that pertain to work done with other companies outside the organization. Policies should be enforceable – Because policies are written to articulate specific expectations, they should be enforceable. Enforceability is achieved when the following policy characteristics are known by the policy stakeholders: • Intended audience • Policy applicability • Policy details • An accountability statement • Acknowledgement Identify your audience and applicability– Not all policies are written for all of the personnel in the company. Identifying your audience is key to ensuring good focus on the policy objectives. For instance, an acceptable use policy for the use of computing resources would be applicable to all employees in the organization; however, a policy that states how network and computer configurations are to be made may apply only to the network and systems administrators as they relate to a specific configuration control process. Policy details – This is where the organization outlines the tasks and articulates expectations regarding the policy. The policy introduction and purpose should be stated and then the details of how objectives are to be achieved. Additional details may include identifying training and resource requirements and references to applicable procedures standards or guidelines necessary for personnel to achieve policy objectives. Acknowledgement and accountability– Policies should be acknowledged by the personnel that they are written for. The most effective way to get an employee to recognize and comply with a policy is to have them sign that they acknowledge it. This can be accomplished the old fashioned pen-and-ink method or electronically. Accountability allows the organization to enforce compliance in the event there is a deviation from the policy. As previously discussed, an accountability statement should articulate noncompliance ramifications. This way the employees understand what to expect if they 4
don’t meet requirements. A common example of an accountability statement would be: “Deviation from this policy may result in administrative and/or disciplinary action, up to and including termination”. Other things to consider Policy management – For large organizations, there are scalable software solutions that allow for the effective management of the many various policies that may be required for the organization to conduct business. Complicated business unit relationships within a company may require different management techniques that accommodate international laws and laws of other countries where business is conducted. Some organizations have a single person or small office of personnel that manage the organization’s policies. These personnel are not necessarily the experts regarding the policies; however, they coordinate with the policy owners and internal review authorities to ensure policy currency, applicability and compliancy. They would also serve as the distribution authority and maintain policy libraries for the organization as well. For small to medium sized companies, it is sometimes more practical to hire another firm to write, update or review policies. When a company does not have the expertise or time to produce effective policies, outsourcing these services should be considered. Deconfliction – Ensure that the development of one policy does not conflict with another policy. Sometime this happens with unique policies that cross over stakeholder groups and affect other policies. There should be a deconfliction process when this happens. Don’t overdo it – We don’t write polices and implement them in our organization just because we enjoy them. You should only develop and write policies when they are needed. Having policies for everything you do can place too many constraints on your personnel and increase the possibility of creating conflicting policies. Remember you have other tools discussed earlier in this article to address key areas that need to be managed effectively. Conclusion This article discussed how to write good policies and described good policy elements that an organization would want to consider so that it can operate effectively and efficiently. Good policies articulate specific organizational objectives that align with the overall business strategy. Policies let employees know what expectations are and reduce risk to the organization overall. Policies should be updated periodically, enforceable and include support from executive management or they lose effectiveness. 5

Recommended

planning and its methods
planning and its methodsplanning and its methods
planning and its methods
Partnered Health
 
Leadership
LeadershipLeadership
Leadership
Neeraj Sharma
 
Chapter 2 Strategic Planning and Budgeting—Process, Preparation, .docx
Chapter 2 Strategic Planning and Budgeting—Process, Preparation, .docxChapter 2 Strategic Planning and Budgeting—Process, Preparation, .docx
Chapter 2 Strategic Planning and Budgeting—Process, Preparation, .docx
christinemaritza
 
Psychological-Capital .pptx
Psychological-Capital .pptxPsychological-Capital .pptx
Psychological-Capital .pptx
MalaiyaDanesh
 
Fiedlers theory
Fiedlers theoryFiedlers theory
Fiedlers theory
Mohd Samri
 
Types of power in leadership
Types of power in leadershipTypes of power in leadership
Types of power in leadership
Fareed Siddiqui, BBA, MBA-Fin, MPhil-Fin, (PhD)
 
Mindful Leadership
Mindful Leadership Mindful Leadership
Mindful Leadership
R. RAVINDRA KUMAR CHIEF MENTOR
 
Types of planning, its goals and objectives.
Types of planning, its goals and objectives.Types of planning, its goals and objectives.
Types of planning, its goals and objectives.
Vaibhav Sagar
 

Recommended

planning and its methods
planning and its methodsplanning and its methods
planning and its methods
Partnered Health
 
Leadership
LeadershipLeadership
Leadership
Neeraj Sharma
 
Chapter 2 Strategic Planning and Budgeting—Process, Preparation, .docx
Chapter 2 Strategic Planning and Budgeting—Process, Preparation, .docxChapter 2 Strategic Planning and Budgeting—Process, Preparation, .docx
Chapter 2 Strategic Planning and Budgeting—Process, Preparation, .docx
christinemaritza
 
Psychological-Capital .pptx
Psychological-Capital .pptxPsychological-Capital .pptx
Psychological-Capital .pptx
MalaiyaDanesh
 
Fiedlers theory
Fiedlers theoryFiedlers theory
Fiedlers theory
Mohd Samri
 
Types of power in leadership
Types of power in leadershipTypes of power in leadership
Types of power in leadership
Fareed Siddiqui, BBA, MBA-Fin, MPhil-Fin, (PhD)
 
Mindful Leadership
Mindful Leadership Mindful Leadership
Mindful Leadership
R. RAVINDRA KUMAR CHIEF MENTOR
 
Types of planning, its goals and objectives.
Types of planning, its goals and objectives.Types of planning, its goals and objectives.
Types of planning, its goals and objectives.
Vaibhav Sagar
 
DETERMINANTS OF PERSONALITY
DETERMINANTS OF PERSONALITYDETERMINANTS OF PERSONALITY
DETERMINANTS OF PERSONALITY
vasantharani6
 
Goal formulation and target setting
Goal formulation and target settingGoal formulation and target setting
Goal formulation and target setting
Sharon Lopez
 
Characteristic of a good leader
Characteristic of a good leaderCharacteristic of a good leader
Characteristic of a good leader
Randy Musa
 
Manuai Of Office Procedures.
Manuai Of Office Procedures.Manuai Of Office Procedures.
Manuai Of Office Procedures.
Jamesadhikaram land matter consultancy 9447464502
 
Group behaviour
Group behaviourGroup behaviour
Group behaviour
AKSHAYA0000
 
Qualities of a good leader
Qualities of a good leaderQualities of a good leader
Qualities of a good leaderTharujossy
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Proceduresnoha1309
 
Organizational policies and procedures
Organizational policies and proceduresOrganizational policies and procedures
Organizational policies and procedures
SophiaPearlJoySEster
 
Leadership processes (Instructional Leadership)
Leadership processes (Instructional Leadership)Leadership processes (Instructional Leadership)
Leadership processes (Instructional Leadership)Iyah Alexander
 
Roles and responsibilities of a manager
Roles and responsibilities of a manager Roles and responsibilities of a manager
Roles and responsibilities of a manager
DevangChodankar
 
Behavior and Attitude.pptx
Behavior and Attitude.pptxBehavior and Attitude.pptx
Behavior and Attitude.pptx
gambhirkhaddar1
 
The Essentials of Board Governance
The Essentials of Board GovernanceThe Essentials of Board Governance
The Essentials of Board Governance
Homeless and Housing Coalition of Kentucky
 
Effective leader .......
Effective leader .......Effective leader .......
Effective leader .......
prajnyaelinar digal
 
Be a good leader.
Be a good leader.Be a good leader.
Be a good leader.
SABU VU
 
Planning..
Planning..Planning..
Planning..mahendra1177
 
ETHICAL-LEADERSHIP.pptx
ETHICAL-LEADERSHIP.pptxETHICAL-LEADERSHIP.pptx
ETHICAL-LEADERSHIP.pptx
Lesacay Ojela
 
Basic aproaches to leadership
Basic aproaches to leadershipBasic aproaches to leadership
Basic aproaches to leadership
Abdullah Khosa
 
CHRISTIAN MARRIAGES.pptx
CHRISTIAN MARRIAGES.pptxCHRISTIAN MARRIAGES.pptx
CHRISTIAN MARRIAGES.pptx
ishaanpant1
 
Goal setting and planning
Goal setting and planningGoal setting and planning
Goal setting and planning
Tonia Robinson-Lloyd, MSc.
 
How To Be A Great Leader
How To Be A Great LeaderHow To Be A Great Leader
How To Be A Great Leader
Shamim Rafeek
 
Voorstelling federatiewerking speciale technieken roadshows energylabel tool
Voorstelling federatiewerking speciale technieken roadshows energylabel toolVoorstelling federatiewerking speciale technieken roadshows energylabel tool
Voorstelling federatiewerking speciale technieken roadshows energylabel tool
Ecodesign Roadshow
 
My autography
My autographyMy autography
My autography
morenadiberardini
 

More Related Content

What's hot

DETERMINANTS OF PERSONALITY
DETERMINANTS OF PERSONALITYDETERMINANTS OF PERSONALITY
DETERMINANTS OF PERSONALITY
vasantharani6
 
Goal formulation and target setting
Goal formulation and target settingGoal formulation and target setting
Goal formulation and target setting
Sharon Lopez
 
Characteristic of a good leader
Characteristic of a good leaderCharacteristic of a good leader
Characteristic of a good leader
Randy Musa
 
Manuai Of Office Procedures.
Manuai Of Office Procedures.Manuai Of Office Procedures.
Manuai Of Office Procedures.
Jamesadhikaram land matter consultancy 9447464502
 
Group behaviour
Group behaviourGroup behaviour
Group behaviour
AKSHAYA0000
 
Qualities of a good leader
Qualities of a good leaderQualities of a good leader
Qualities of a good leaderTharujossy
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Proceduresnoha1309
 
Organizational policies and procedures
Organizational policies and proceduresOrganizational policies and procedures
Organizational policies and procedures
SophiaPearlJoySEster
 
Leadership processes (Instructional Leadership)
Leadership processes (Instructional Leadership)Leadership processes (Instructional Leadership)
Leadership processes (Instructional Leadership)Iyah Alexander
 
Roles and responsibilities of a manager
Roles and responsibilities of a manager Roles and responsibilities of a manager
Roles and responsibilities of a manager
DevangChodankar
 
Behavior and Attitude.pptx
Behavior and Attitude.pptxBehavior and Attitude.pptx
Behavior and Attitude.pptx
gambhirkhaddar1
 
The Essentials of Board Governance
The Essentials of Board GovernanceThe Essentials of Board Governance
The Essentials of Board Governance
Homeless and Housing Coalition of Kentucky
 
Effective leader .......
Effective leader .......Effective leader .......
Effective leader .......
prajnyaelinar digal
 
Be a good leader.
Be a good leader.Be a good leader.
Be a good leader.
SABU VU
 
ETHICAL-LEADERSHIP.pptx
ETHICAL-LEADERSHIP.pptxETHICAL-LEADERSHIP.pptx
ETHICAL-LEADERSHIP.pptx
Lesacay Ojela
 
Basic aproaches to leadership
Basic aproaches to leadershipBasic aproaches to leadership
Basic aproaches to leadership
Abdullah Khosa
 
CHRISTIAN MARRIAGES.pptx
CHRISTIAN MARRIAGES.pptxCHRISTIAN MARRIAGES.pptx
CHRISTIAN MARRIAGES.pptx
ishaanpant1
 
Goal setting and planning
Goal setting and planningGoal setting and planning
Goal setting and planning
Tonia Robinson-Lloyd, MSc.
 
How To Be A Great Leader
How To Be A Great LeaderHow To Be A Great Leader
How To Be A Great Leader
Shamim Rafeek
 

What's hot (20)

DETERMINANTS OF PERSONALITY
DETERMINANTS OF PERSONALITYDETERMINANTS OF PERSONALITY
DETERMINANTS OF PERSONALITY
 
Goal formulation and target setting
Goal formulation and target settingGoal formulation and target setting
Goal formulation and target setting
 
Characteristic of a good leader
Characteristic of a good leaderCharacteristic of a good leader
Characteristic of a good leader
 
Manuai Of Office Procedures.
Manuai Of Office Procedures.Manuai Of Office Procedures.
Manuai Of Office Procedures.
 
Group behaviour
Group behaviourGroup behaviour
Group behaviour
 
Qualities of a good leader
Qualities of a good leaderQualities of a good leader
Qualities of a good leader
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Procedures
 
Organizational policies and procedures
Organizational policies and proceduresOrganizational policies and procedures
Organizational policies and procedures
 
Leadership processes (Instructional Leadership)
Leadership processes (Instructional Leadership)Leadership processes (Instructional Leadership)
Leadership processes (Instructional Leadership)
 
Roles and responsibilities of a manager
Roles and responsibilities of a manager Roles and responsibilities of a manager
Roles and responsibilities of a manager
 
Behavior and Attitude.pptx
Behavior and Attitude.pptxBehavior and Attitude.pptx
Behavior and Attitude.pptx
 
The Essentials of Board Governance
The Essentials of Board GovernanceThe Essentials of Board Governance
The Essentials of Board Governance
 
Effective leader .......
Effective leader .......Effective leader .......
Effective leader .......
 
Be a good leader.
Be a good leader.Be a good leader.
Be a good leader.
 
Planning..
Planning..Planning..
Planning..
 
ETHICAL-LEADERSHIP.pptx
ETHICAL-LEADERSHIP.pptxETHICAL-LEADERSHIP.pptx
ETHICAL-LEADERSHIP.pptx
 
Basic aproaches to leadership
Basic aproaches to leadershipBasic aproaches to leadership
Basic aproaches to leadership
 
CHRISTIAN MARRIAGES.pptx
CHRISTIAN MARRIAGES.pptxCHRISTIAN MARRIAGES.pptx
CHRISTIAN MARRIAGES.pptx
 
Goal setting and planning
Goal setting and planningGoal setting and planning
Goal setting and planning
 
How To Be A Great Leader
How To Be A Great LeaderHow To Be A Great Leader
How To Be A Great Leader
 

Viewers also liked

Voorstelling federatiewerking speciale technieken roadshows energylabel tool
Voorstelling federatiewerking speciale technieken roadshows energylabel toolVoorstelling federatiewerking speciale technieken roadshows energylabel tool
Voorstelling federatiewerking speciale technieken roadshows energylabel tool
Ecodesign Roadshow
 
My autography
My autographyMy autography
My autography
morenadiberardini
 
Heather Angel Pasaphunthu Monday July 27, 2015
Heather Angel Pasaphunthu Monday July 27, 2015Heather Angel Pasaphunthu Monday July 27, 2015
Heather Angel Pasaphunthu Monday July 27, 2015Heather Pasaphunthu
 
Every Thing You Know Around concepto y caracteristicas de software contable I...
Every Thing You Know Around concepto y caracteristicas de software contable I...Every Thing You Know Around concepto y caracteristicas de software contable I...
Every Thing You Know Around concepto y caracteristicas de software contable I...maraca0wind
 
Leadership 2.5 presentation pps
Leadership 2.5 presentation ppsLeadership 2.5 presentation pps
Leadership 2.5 presentation pps
Nikolay Stoyanov
 
EURAXESS-BG-C&C-2015-SD
EURAXESS-BG-C&C-2015-SDEURAXESS-BG-C&C-2015-SD
EURAXESS-BG-C&C-2015-SD
Nikolay Stoyanov
 
Beretta 692
Beretta 692Beretta 692
Beretta 692
Armeria Sabater
 
Single Customer View
Single Customer ViewSingle Customer View
Single Customer ViewMark Jones
 
Werner Sattmann-Frese - Psychological Perspectives of Ecological Crises
Werner Sattmann-Frese - Psychological Perspectives of Ecological CrisesWerner Sattmann-Frese - Psychological Perspectives of Ecological Crises
Werner Sattmann-Frese - Psychological Perspectives of Ecological Crises
Werner Sattmann-Frese
 

Viewers also liked (9)

Voorstelling federatiewerking speciale technieken roadshows energylabel tool
Voorstelling federatiewerking speciale technieken roadshows energylabel toolVoorstelling federatiewerking speciale technieken roadshows energylabel tool
Voorstelling federatiewerking speciale technieken roadshows energylabel tool
 
My autography
My autographyMy autography
My autography
 
Heather Angel Pasaphunthu Monday July 27, 2015
Heather Angel Pasaphunthu Monday July 27, 2015Heather Angel Pasaphunthu Monday July 27, 2015
Heather Angel Pasaphunthu Monday July 27, 2015
 
Every Thing You Know Around concepto y caracteristicas de software contable I...
Every Thing You Know Around concepto y caracteristicas de software contable I...Every Thing You Know Around concepto y caracteristicas de software contable I...
Every Thing You Know Around concepto y caracteristicas de software contable I...
 
Leadership 2.5 presentation pps
Leadership 2.5 presentation ppsLeadership 2.5 presentation pps
Leadership 2.5 presentation pps
 
EURAXESS-BG-C&C-2015-SD
EURAXESS-BG-C&C-2015-SDEURAXESS-BG-C&C-2015-SD
EURAXESS-BG-C&C-2015-SD
 
Beretta 692
Beretta 692Beretta 692
Beretta 692
 
Single Customer View
Single Customer ViewSingle Customer View
Single Customer View
 
Werner Sattmann-Frese - Psychological Perspectives of Ecological Crises
Werner Sattmann-Frese - Psychological Perspectives of Ecological CrisesWerner Sattmann-Frese - Psychological Perspectives of Ecological Crises
Werner Sattmann-Frese - Psychological Perspectives of Ecological Crises
 

Similar to How to Write Good Policies

Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docx
shericehewat
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
PasangdolmoTamang
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
Manish Chaurasia
 
Definition of business policy
Definition of business policyDefinition of business policy
Definition of business policyNeeta Sharma
 
Writing Effective Policies & Procedures2
Writing Effective Policies & Procedures2Writing Effective Policies & Procedures2
Writing Effective Policies & Procedures2noha1309
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
Policy Framework
Policy FrameworkPolicy Framework
Policy Framework
Lai En Xin
 
Policy Formulation for AR Cooperatives
Policy Formulation for AR CooperativesPolicy Formulation for AR Cooperatives
Policy Formulation for AR CooperativesJo Balucanag - Bitonio
 
Policy and Organizational Behavior Scoring GuideCRITERIA N.docx
Policy and Organizational Behavior Scoring GuideCRITERIA N.docxPolicy and Organizational Behavior Scoring GuideCRITERIA N.docx
Policy and Organizational Behavior Scoring GuideCRITERIA N.docx
harrisonhoward80223
 
POLICY MANAGEMENT
POLICY MANAGEMENTPOLICY MANAGEMENT
POLICY MANAGEMENT
Bipin Gupta
 
Microsoft 365 governance approach
Microsoft 365 governance approachMicrosoft 365 governance approach
Microsoft 365 governance approach
Oliver Wirkus
 
Creating human resources policy and procedures
Creating human resources policy and proceduresCreating human resources policy and procedures
Creating human resources policy and proceduresTawanda Chisiri
 
Strategic management and business policy
Strategic management and business policyStrategic management and business policy
Strategic management and business policy
Dipankar Dutta
 
Are you compliance ready?
Are you compliance ready?Are you compliance ready?
Are you compliance ready?
Gyrus Systems
 
Draft a written proposal and implementation guidelines for an or
Draft a written proposal and implementation guidelines for an orDraft a written proposal and implementation guidelines for an or
Draft a written proposal and implementation guidelines for an or
talishaspadf
 

Similar to How to Write Good Policies (20)

Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docx
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Definition of business policy
Definition of business policyDefinition of business policy
Definition of business policy
 
Hr+policies
Hr+policiesHr+policies
Hr+policies
 
Hr policies
Hr policiesHr policies
Hr policies
 
Hr Policies
Hr PoliciesHr Policies
Hr Policies
 
Hr policies (1)
Hr policies (1)Hr policies (1)
Hr policies (1)
 
Writing Effective Policies & Procedures2
Writing Effective Policies & Procedures2Writing Effective Policies & Procedures2
Writing Effective Policies & Procedures2
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
Policy Framework
Policy FrameworkPolicy Framework
Policy Framework
 
Policy Formulation for AR Cooperatives
Policy Formulation for AR CooperativesPolicy Formulation for AR Cooperatives
Policy Formulation for AR Cooperatives
 
Policy and Organizational Behavior Scoring GuideCRITERIA N.docx
Policy and Organizational Behavior Scoring GuideCRITERIA N.docxPolicy and Organizational Behavior Scoring GuideCRITERIA N.docx
Policy and Organizational Behavior Scoring GuideCRITERIA N.docx
 
POLICY MANAGEMENT
POLICY MANAGEMENTPOLICY MANAGEMENT
POLICY MANAGEMENT
 
Microsoft 365 governance approach
Microsoft 365 governance approachMicrosoft 365 governance approach
Microsoft 365 governance approach
 
Creating human resources policy and procedures
Creating human resources policy and proceduresCreating human resources policy and procedures
Creating human resources policy and procedures
 
Strategic management and business policy
Strategic management and business policyStrategic management and business policy
Strategic management and business policy
 
Are you compliance ready?
Are you compliance ready?Are you compliance ready?
Are you compliance ready?
 
Chapter1
Chapter1Chapter1
Chapter1
 
Draft a written proposal and implementation guidelines for an or
Draft a written proposal and implementation guidelines for an orDraft a written proposal and implementation guidelines for an or
Draft a written proposal and implementation guidelines for an or
 

More from Murray Security Services

Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
Murray Security Services
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
Murray Security Services
 
Manufacturing Hacks
Manufacturing HacksManufacturing Hacks
Manufacturing Hacks
Murray Security Services
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
Murray Security Services
 
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueGlobal Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Murray Security Services
 
Cybersecurity for Small Business
Cybersecurity for Small BusinessCybersecurity for Small Business
Cybersecurity for Small Business
Murray Security Services
 
Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?
Murray Security Services
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
Murray Security Services
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
Murray Security Services
 
Countering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaCountering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from China
Murray Security Services
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
Murray Security Services
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web
Murray Security Services
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber Crime
Murray Security Services
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
Murray Security Services
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
Murray Security Services
 

More from Murray Security Services (15)

Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Manufacturing Hacks
Manufacturing HacksManufacturing Hacks
Manufacturing Hacks
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
 
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex IssueGlobal Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
Global Shortage on Cyber Security Workforce - An Analysis of a Complex Issue
 
Cybersecurity for Small Business
Cybersecurity for Small BusinessCybersecurity for Small Business
Cybersecurity for Small Business
 
Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?Barcode Metadata & Privacy - What is the risk really?
Barcode Metadata & Privacy - What is the risk really?
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Countering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from ChinaCountering the Cyber Espionage Threat from China
Countering the Cyber Espionage Threat from China
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
 
ToR - Deep Web
ToR - Deep Web ToR - Deep Web
ToR - Deep Web
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber Crime
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 

Recently uploaded

Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdfDigital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Jos Voskuil
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 
Filing Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed GuideFiling Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed Guide
YourLegal Accounting
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
anasabutalha2013
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
RajPriye
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
Safe PaaS
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
my Pandit
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
taqyed
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
BBPMedia1
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
tanyjahb
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
zoyaansari11365
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
dylandmeas
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
PaulBryant58
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
HARSHITHV26
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
Global Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdfGlobal Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdf
Henry Tapper
 

Recently uploaded (20)

Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdfDigital Transformation in PLM - WHAT and HOW - for distribution.pdf
Digital Transformation in PLM - WHAT and HOW - for distribution.pdf
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
Filing Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed GuideFiling Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed Guide
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
Accpac to QuickBooks Conversion Navigating the Transition with Online Account...
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
Global Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdfGlobal Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdf
 

How to Write Good Policies

  • 1. How to Write Good Policies Policy Elements to Consider for Your Organization August 30, 2013 CyberTears.Org Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A © Copyright 2013 – Murray, Shawn P. Note: Author maintains full ownership; however, this article can be freely used and distributed as long as the author is properly referenced.
  • 2. Introduction One of the most inexpensive countermeasures we can deploy in our organization is an effective security policy. There are different thoughts regarding policies that can be debated; however, the focus of this article is to outline some basic elements which should be considered when developing policies in general. Policies in general, are meant to articulate the organization’s expectations or express specific behaviors, achieve goals or identify actions to be taken given a specific scenario. Generally, when the organization believes something fits into the above criteria and is important enough to write down, it is presented in a document usually referred to as a policy. Effective policies can reduce the risk associated with employees damaging property, conducting their jobs safely and efficiently or harming the reputation of the organization overall. A BIT ABOUT THE DIFFERENCE BETWEEN POLICIES, PROCEDURES, STANDARDS AND GUIDELINES There are differences in how an organization uses various written tools to meet organizational objectives. Many use policies, procedures, standards and guidelines. There are other tools; however, these are the most used in a given environment. There are relationships between the tools as identified below. Policies Policies are normally high level organizational documents approved by executive management. Policies that are not approved at this level are challenged with enforceability. Policies are important for the organization’s success and should meet organizational goals that align with the mission or overall business strategy. Procedures Procedures are specific and detailed instructions or tasks that should be followed without deviation and allow an individual or group to meet a specific standard. Procedures compliance is mandatory for ensuring uniformity and accuracy and for controlling an expected outcome. They should be periodically reviewed for effectiveness. Standards Standards define mandatory requirements that should be followed by all. If we didn’t have standards, then we would have too many commonly used proprietary products that are made differently (think about electronics, automotive parts and 2
  • 3. engineering principles). Well known standards authorities include the International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) and National Institute of Standards and Technology (NIST). Guidelines Guidelines are developed as guidance for implementing standards. Think of them as general instructions that should be followed to meet the mandatory requirements for the standard. In the absence of a standard, guidelines also can provide advice to one making decisions to meet organizational objectives. This would reduce the risk of not following some type of process to meet the objective. Guidelines are not normally mandatory. Elements of a good policy The following elements should be considered when developing your policy: Cover page, Title page - The cover page or title page should state the policy name and current version of the policy. It should include a control mechanism like a policy number that is more easily tracked for administrative purposes. The name of the company and executive branch within the organization should be identified on the cover page as well. Example: CyberTears.org, Office of the Chief Information Officer, Cyber Security Division Document control page – The document control page has various names “Document History”, “Document Change Page”, etc. The purpose of the document control page is to track the historical record of the policy. It is properly titled and a table inserted with basic revision history information like version number, release or approval date, summary of changes, section number or paragraph numbers (that may have been updated) and a user identifier that indicates who made the change(s). The first entry on the document control page should be the initial release. If a periodic review is required, it would be identified here as well even if no changes were made to the document. Plain and Simple – Most policies should be written in plain and simple language that is easy to read and understand. Avoid excessive use of acronyms and spell them out the first time if you have to use them. Technical or legal policies can be verbose and difficult to read. Have an editor review your policies to ensure they are appropriate for the intended audience. Executive buy in – It was mentioned earlier in this article that policies should be approved by senior management. This is crucial for the policy to maintain effectiveness. When a policy is not supported by management then it is difficult to enforce and becomes 3
  • 4. ineffective or irrelevant to the success of the company. There should be a clear message to the organization that upper management approved and fully supports the policies that are developed. This should be articulated in the policy as well. Policies should be reviewed periodically to ensure they still align with the organization’s overall mission and business strategy. If a policy no longer aligns to ensure an organizations success, the policy should be updated or removed. Some policies should be reviewed for currency by subject matter experts to ensure they comply with federal or state laws, examples of these types of policies include human resources policies, environmental and safety policies and policies that pertain to work done with other companies outside the organization. Policies should be enforceable – Because policies are written to articulate specific expectations, they should be enforceable. Enforceability is achieved when the following policy characteristics are known by the policy stakeholders: • Intended audience • Policy applicability • Policy details • An accountability statement • Acknowledgement Identify your audience and applicability– Not all policies are written for all of the personnel in the company. Identifying your audience is key to ensuring good focus on the policy objectives. For instance, an acceptable use policy for the use of computing resources would be applicable to all employees in the organization; however, a policy that states how network and computer configurations are to be made may apply only to the network and systems administrators as they relate to a specific configuration control process. Policy details – This is where the organization outlines the tasks and articulates expectations regarding the policy. The policy introduction and purpose should be stated and then the details of how objectives are to be achieved. Additional details may include identifying training and resource requirements and references to applicable procedures standards or guidelines necessary for personnel to achieve policy objectives. Acknowledgement and accountability– Policies should be acknowledged by the personnel that they are written for. The most effective way to get an employee to recognize and comply with a policy is to have them sign that they acknowledge it. This can be accomplished the old fashioned pen-and-ink method or electronically. Accountability allows the organization to enforce compliance in the event there is a deviation from the policy. As previously discussed, an accountability statement should articulate noncompliance ramifications. This way the employees understand what to expect if they 4
  • 5. don’t meet requirements. A common example of an accountability statement would be: “Deviation from this policy may result in administrative and/or disciplinary action, up to and including termination”. Other things to consider Policy management – For large organizations, there are scalable software solutions that allow for the effective management of the many various policies that may be required for the organization to conduct business. Complicated business unit relationships within a company may require different management techniques that accommodate international laws and laws of other countries where business is conducted. Some organizations have a single person or small office of personnel that manage the organization’s policies. These personnel are not necessarily the experts regarding the policies; however, they coordinate with the policy owners and internal review authorities to ensure policy currency, applicability and compliancy. They would also serve as the distribution authority and maintain policy libraries for the organization as well. For small to medium sized companies, it is sometimes more practical to hire another firm to write, update or review policies. When a company does not have the expertise or time to produce effective policies, outsourcing these services should be considered. Deconfliction – Ensure that the development of one policy does not conflict with another policy. Sometime this happens with unique policies that cross over stakeholder groups and affect other policies. There should be a deconfliction process when this happens. Don’t overdo it – We don’t write polices and implement them in our organization just because we enjoy them. You should only develop and write policies when they are needed. Having policies for everything you do can place too many constraints on your personnel and increase the possibility of creating conflicting policies. Remember you have other tools discussed earlier in this article to address key areas that need to be managed effectively. Conclusion This article discussed how to write good policies and described good policy elements that an organization would want to consider so that it can operate effectively and efficiently. Good policies articulate specific organizational objectives that align with the overall business strategy. Policies let employees know what expectations are and reduce risk to the organization overall. Policies should be updated periodically, enforceable and include support from executive management or they lose effectiveness. 5