Bandler's Three Platforms to Connect
For compliance and good management of organization information assets (or anything else)
by John Bandler
Organizations should manage themselves effectively and efficiently, and that can extend to information assets. Information assets include computer devices, data, networks, and more. For effective governance, organizations should take note of laws and regulations, create internal rules, and then act accordingly. Consider Bandler's Three Platforms to Connect, a method to visualize how legal requirements, internal policy, and organization practice should align.
Of course, organizations focus on their primary missions, which include one or more of the following:
- Do good and help individuals and society
- Earn revenue and business
- Obtain donations or grants
- Survive, thrive, and grow.
But to do this, they need to protect and fully utilize their information systems, and comply with legal requirements.
The three platforms to connect
The three areas to consider are:
- Laws and regulations (external rules)
- Policies, procedures, and other internal rules
- Practice, action, or what is actually done.
Let's examine each of those next.
External rules (laws and regulations)
External rules are the laws and regulations that come from outside of the organization.
First, it includes statutes passed by our federal legislature or a state legislature, and then signed into law by the executive (president or governor). Consider laws that relate to information systems regarding cybersecurity, privacy, data breach reporting, and more, examples of which are:
- New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
- The FTC Act, which gives the Federal Trade Commission certain authority over privacy and cybersecurity
- The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH).
Next, consider regulations issued by a regulatory-type body, such as the Federal Trade Commission, Federal Deposit Insurance Corporation (FDIC), Department of Health and Human Services (HHS), or New York State Department of Financial Services (NYS DFS), to name just a few. Examples of such regulations include:
- New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”)
- Regulations issued by HHS under HIPAA and HITECH.
Then there are established principles of law which may establish legal duties or standards of conduct, including:
- Negligence law (be reasonable and diligent, not sloppy or deficient)
- Contract law (including about cybersecurity and other promises with respect to clients, vendors, and insurers)
- Litigation rules, including discovery, disclosure, and e-discovery (which can include a duty to preserve and produce documents and data).
Internal rules (policies, procedures, etc.)
Internal rules are created by the organization, executives, and managers to guide internal conduct, inform customers, clients, or donors, and to demonstrate their compliance with external rules.
By necessity, some internal rules are verbal, cultural, or "tone". They range from a verbal instruction to atmosphere and culture about what is accepted and what is not. Of course, verbal and cultural rules can only go so far, and sometimes are not worth the paper they are [not] printed on. Internal rules should be consistent across documents and "verbal rules".
Internal rules should be reduced to writing based upon size and maturity of the organization, topic, and individualized need. Organizations need to find the right balance between not enough documentation (insufficient written guidance) to too much documentation (too much for employees to read, understand, and maintain).
Types of internal rules include:
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule)
- Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.
Subjects of internal rules include:
- Incident response
- Conflicts of interest
- Employee rights and responsibilities in the workplace
I talk more about these internal rules here.
Every organization needs a helpful, quality cybersecurity policy. This informs and guides conduct by individuals and the organization, protects the organization from cybercrime and helps with legal compliance. To fill this need, I created Bandler's Free Cybersecurity Policy, which you can access through this website.
Practice (action, what is actually done)
Platform three is practice, meaning the action taken by the organization. What is their general practice and what do they actually do? The action must be in accordance with laws and regulations or the organization could face civil or even criminal liability. If the action violates internal rules, that is bad for the organization also. Presumably those internal rules are well-considered and serve a purpose.
Align the three platforms and watch the gap
Now that we know about the three important areas, imagine them as platforms. The government built most of the external rules platform through statute, regulation, and court decisions, so we need to interpret it as best we can. We build the other two platforms ourselves, and want to align them, and reduce and watch the gaps. My infographic has been refined several times over the years, take a look.
Red flags to avoid
Organizations can fall into traps that are ultimately bad for the organization and eventually will impair its mission. When the platforms become out of alignment, problems develop. These thoughts or statements should be banished:
- “We can ignore this law/regulation because we probably won't get caught, and even if we do get caught, the penalties won't be too bad.”
- “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”
- "We have good policies on paper, but we don't really follow them."
- "I know the policy says that, but that's not really the way we do it here."
- "Person X is our security/privacy officer on paper, but in reality does not have time for it."
- "We have comprehensive cybersecurity and privacy programs but they are all verbal and unwritten."
As the saying goes, "When we first start to deceive, what a tangled web we weave." This is not to say perfection is required, because that is not possible. But organizations should resolve to do their good-faith best to comply, protect from cybercrime, and improve themselves.
My Three Platforms to Connect concept provides a helpful way for organizations to visualize compliance and management, which also helps with good overall governance and efficiency. Employees that know what is expected of them can focus on their mission. Organizations that are well run and build compliance and security into their operations can focus on their mission.
This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
- Policies, Procedures, and Governance of an Organization (includes this 3 platforms concept, plus more)
- Policies and Procedures
This article is hosted at https://johnbandler.com/bandlers-three-platforms-to-connect, copyright John Bandler, all rights reserved.
This article carves out my "Three Platforms to Connect" concept from my 2020 article: Policies, Procedures, and Governance of an Organization.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 1/8/2022, updated 5/15/2022.