Policy management doesn’t have to suck


Okay, I’m going to admit it: policy management doesn't have to suck. In fact, it can be a lot of fun and very rewarding. The problem is that most companies don't know how to approach their policies in a way that keeps them secure and their workers happy.

The policy process

When it comes to security policies, the process of creating them should be simple and effective. If you don't have a good process that makes writing policies easy for your team, then you're going to run into trouble. A good policy-development method should also make it easy for your organization's users to access them. After all, if they can't find the document on their own or figure out how to use it whenever they encounter an issue, then how will using the policy help? It just so happens we have a policy app for that!

Keep it simple

Since you’re writing policy, keep it simple. This should go without saying, but if you have a policy that consists of more than two pages and has pictures, you need to rethink your approach. Here are some tips for keeping things as clear and concise as possible:

  • Use plain language instead of technical or legal jargon. If you want to use an acronym in your policy, be sure that it is widely accepted and understood by everyone who may read the document (this includes employees at all levels within the organization).
  • Don't get too technical with your writing – this makes for boring reading! Instead of using complex sentences like “As per our IT department's security standards…” try something like “We must follow all IT department security procedures…”
  • Avoid passive voice wherever possible; it can make your sentences confusing or unclear! For example: “The office will be closed today due to inclement weather conditions.”
  • Have clear roles and responsibilities in place so there are no misunderstandings about who does what when it comes time to write up new policies or update existing ones. This could include assigning specific tasks based on who has expertise in certain areas (e.g., a content strategist may be responsible for editing language while someone else focuses on formatting).
  • Make sure everyone knows exactly what steps need to be completed before any other parts of the project started moving forward; this includes knowing who needs approvals from whom at various stages throughout development so there aren't any surprises later down the line if something goes wrong along way.
  • Alignment
    • Working with leadership to create a policy that is in line with corporate culture
    • Working with your MSP/IT Provider to write them that align with your compliance and regulatory requirements
    • Working with everyone to ensure they are written with the ACTUAL business processes in place
  • Authorization
    • Working with executive leadership, compliance officers, and legal counsel
    • Have a company representative with the authority to Authorize the policy but sign off
  • Adoption
    • Having a process for end users to review, sign off and adopt the policy
  • Assessment
    • Policy documents have a lifespan
    • Policies should be reviewed and updated on a regular cadence
    • At a minimum, they should be reviewed at least annually or when significate changes have been made

Create a policy management process that keeps you secure and your workers happy

While it’s important to keep your company compliant and secure, you also have to keep your workers happy. Fortunately, creating a policy management process that satisfies all three of these objectives is as simple as following some basic steps.

    1. First, create a clear set of standards for acceptable use policies (AUP). This should include both an acceptable and unacceptable use policy for email and other communication tools at work, as well as specific guidelines for social media use.
    2. Second, make sure every employee has read and signed off on this AUP — including yourself! Finally, enforce the AUP by regularly reviewing logs from systems like Microsoft Exchange Online or Office 365 Security & Compliance Center so you can see if anyone has violated any of its rules.

What to include:

— What is the reason for the policy?
— Who developed the policy?
— Who approved the policy?
— Whose authority sustains the policy?
— Which laws or regulations, if any, are the policy based on?
— Who will enforce the policy?
— How will the policy be enforced?
— Whom does the policy affect?
— What information assets must be protected?
— What are users actually required to do?
— How should security breaches and violations be reported?
— What is the effective date and expiration date of the policy?

Writing up policy, getting it approved and distributing it may take hours!

Do you ever wish that policy management wasn't so damn complicated? If so, then we're on the same page. It's not rocket science and it shouldn't be that difficult to get your policies where they need to be.

It doesn’t have to take hours or days of your time just because someone else in IT has decided that it needs their attention first (and maybe even second). It's a waste of money and resources when people keep putting off the creation of new policies until they can find “the right person” who will review them and approve them…only for these same individuals never to put pen to paper because they don't want any part in writing something up — even if it's something simple like “Don't post naked pictures on social media.”

Keeping your policies up to date and having visibility into who has accepted the most recent versions is definitely not something you want to do manually.

Keeping your policies up to date and having visibility into who has accepted the most recent versions is definitely not something you want to do manually.

Policy management tools allow you to keep your policies current, automatically notify people when a new version has been published, and identify which users have clicked “I accept” on the latest policy draft. This frees up time for more important activities like ensuring compliance or making sure those binders are really secure.

When was the last time you saw anyone reading their company policies?

I'd wager that, like most of us, you haven't had the chance to read your company policies since agreeing to them. For example—and this is just a hypothetical example—you might have signed up for an email marketing service and agreed to a set of terms and conditions that give the provider permission to send you ads based on what they think would appeal to you. And then? Well, then they did! Your inbox was flooded with emails from fintech startups trying to solve all your problems in one go or from old college friends who've moved away but still want their opinion heard.

But here's the thing: no one really reads those policies anyway. The only reason people even signed up for those services was because it looked like something cool or useful and it seemed like no big deal at the time! Personally, I don't know about you guys but I'm pretty sure none of us have ever reviewed our privacy policy before downloading an app or signing up for anything online ever in our lives (except maybe Google Analytics).

Policy management doesn’t have to suck.

There are tools available to help you manage policies, compliance, security and risk. And there are tools that can help with people too. It's not easy work—but if you’re doing it right, you should be able to sleep at night knowing the right things are being done in your name.