Bandler's Three Platforms to Connect (for compliance)
by John Bandler
Bandler's Three Platforms to Connect for compliance can help organizations manage themselves effectively and efficiently, including with their information assets. (Information assets include computer devices, data, networks, and more). For effective management and compliance, organizations should take note of laws and regulations, create internal rules, and then act accordingly. My Three Platforms concept helps visualize how all three should align.
Of course, organizations focus on their primary missions, which include one or more of the following:
- Do good and help individuals and society, provide a necessary service or product
- Earn revenue and business (which pays employee salaries, rewards business owners and shareholders, etc.)
- Obtain donations or grants
- Survive, thrive, and grow.
But to do this, they need to protect and fully utilize their information systems, and comply with legal requirements.
The three platforms to connect
The three areas to consider are:
- Laws and regulations (external rules)
- Policies, procedures, and other internal rules
- Practice, action, or what is actually done.
Let's examine each of those in turn.
External rules (laws and regulations)
External rules are the laws and regulations that come from outside of the organization.
First, it includes statutes passed by our federal legislature or a state legislature, and then signed into law by the executive (president or governor). Consider laws that relate to information systems regarding cybersecurity, privacy, data breach reporting, and more, examples of which are:
- New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
- The FTC Act, which gives the Federal Trade Commission authority over unfair or deceptive trade practices which gives them some authority over privacy and cybersecurity
- The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
- Many more!
Next, consider regulations issued by a regulatory-type body, such as the Federal Trade Commission, Federal Deposit Insurance Corporation (FDIC), Department of Health and Human Services (HHS), or New York State Department of Financial Services (NYS DFS), to name just a few. Examples of such regulations include:
- New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”)
- Regulations issued by HHS under HIPAA and HITECH
- Many more here too.
Then there are established principles of law which may establish legal duties or standards of conduct, including:
- Negligence law (be reasonable and diligent, not sloppy or deficient)
- Contract law (including about cybersecurity and other promises with respect to clients, vendors, and insurers)
- Litigation rules, including discovery, disclosure, and e-discovery (which can include a duty to preserve and produce documents and data).
Internal rules (policies, procedures, etc.)
Internal rules are created by the organization, executives, and managers to guide internal conduct, inform customers, clients, or donors, and to demonstrate their compliance with external rules.
By necessity, some internal rules are verbal, cultural, or "tone". They range from a verbal instruction to atmosphere and culture about what is accepted and what is not. Of course, verbal and cultural rules can only go so far, and sometimes are not worth the paper they are [not] printed on. Internal rules should be consistent across documents and "verbal rules".
Internal rules should be put in writing based upon size and maturity of the organization, topic, and individualized need. Organizations need to find the right balance between not enough documentation (insufficient written guidance) to too much documentation (too much for employees to read, understand, and maintain).
Types of internal rules include:
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule)
- Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.
Subjects of internal rules include:
- Incident response
- Conflicts of interest
- Employee rights and responsibilities in the workplace
I talk more about policies and procedures as internal rules here.
Every organization needs a helpful, quality cybersecurity policy and incident response plan. This informs and guides conduct by individuals and the organization, protects the organization from cybercrime and helps with legal compliance. To fill this need, I created Bandler's Free Cybersecurity Policy.
Practice (action, what is actually done)
Platform three is practice, meaning the actions actually taken by the organization and it's employees. The action must be in accordance with laws and regulations or the organization could face civil or even criminal liability. If the action violates internal rules, that is also bad for the organization. After all, those internal rules should be well-considered and serve to help the organization accomplish its mission and comply with laws and regulations.
Align the three platforms and watch the gap
Now that we know about the three important areas, and think of them as platforms, we can build a metaphor that helps us. The government built most of the external rules platform through statute, regulation, and court decisions, so we need to interpret it as best we can. We build the other two platforms ourselves, and want to align them, and reduce and watch the gaps. I put it all together with this diagram.
Red flags to avoid
Organizations can fall into traps that are ultimately bad for the organization and eventually will impair its mission.
When the platforms become out of alignment, and organizations fail to recognize or acknowledge this issue, problems develop. These thoughts or statements should be banished:
- “We can ignore this law/regulation because we probably won't get caught, and even if we do get caught, the penalties won't be too bad.”
- “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”
- "We have good policies on paper, but we don't really follow them."
- "I know the policy says that, but that's not really the way we do it here."
- "Person X is our security/privacy officer on paper, but in reality does not have time for it."
- "We have comprehensive cybersecurity and privacy programs but they are all verbal and unwritten."
- "I need to create this policy/program in a single day"
As the saying goes, "When we first start to deceive, what a tangled web we weave." Organizations should do their good-faith best to comply, protect from cybercrime, and improve themselves. Perfection is never required and the area is complex. Good faith efforts and honesty are necessary.
Wait, aren't your three platforms missing something?
These three platforms represent a compliance line, and aligning them helps ensure compliance with laws and regulations.
But the diagram doesn't depict all an organization needs to consider.
As I have mentioned organizations do not exist simply to comply -- they have missions and business imperatives. I address that in more detail with my Fourth Platform concept.
Finally, I add a fifth component of external guidance, because we cannot reinvent the wheel. So we seek external guidance that suits us and then adapt it appropriately.
My Three Platforms to Connect concept provides a helpful way for organizations to visualize compliance and management, which also helps with good overall governance and efficiency. Employees that know what is expected of them can focus on their mission. Organizations that are well run and build compliance and security into their operations can focus on their mission. Mission and business needs make up my Fourth Platform which I discuss here, and the fifth component is external guidance.
This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.
- Five Components for Policy Work
- Bandlers Three Platforms to Connect (this article)
- Bandler's Fourth Platform to Connect
- Policies and Procedures
- Policies, Procedures, and Governance of an Organization (includes this 3 platforms concept, plus more)
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
This article is hosted at https://johnbandler.com/bandlers-three-platforms-to-connect, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/bandlers-three-platforms-to-connect-3f1fee3ef1cf (though not kept as up to date).
Originally posted 1/8/2022 (carving out the "Three Platforms to Connect" concept from my original 2020 article: Policies, Procedures, and Governance of an Organization), updated 8/2/2023.