Internal Rules Building
by John Bandler
This analogy to help assess and build organization internal rules can be useful for every organization. A good analogy doesn't have to be perfect, but some (like this) are better than others. I have been using the internal rules platform analogy for some time, which extends well when we examine construction of internal rules.
Recapping the Platforms and Five Components
I use the "platform" analogy when discussing organization mission and compliance.
Within my Three Platforms to Connect for Compliance, there are three areas to consider and align for compliance analysis:
- Laws and regulations (external rules)
- Policies, procedures, and other internal rules
- Practice, action, or what is actually done.
Then I add a fourth platform of Mission and Business Needs.
And finally add a fifth component (a cloud) of External Guidance to ensure best practices are considered.
That leaves us with Five Components for Policy Work.
In this article, we are focusing on the internal rules, and how to build and assess them conceptually as a platform.
The "rules platform" analogy is better than the "rules pyramid"
I rethought the traditional "rules pyramid" analogy and created the "rules platform".
One of the problems with the rules pyramid is the analogy breaks down for anything but a fully built set of internal rules.
With the rules "platform", we have a good way to conceptualize how to analyze and build it, no matter what organization, no matter their size, type, and relative maturity.
A small startup organization might be excused if it didn't have a single written policy. Is a two person company violating good practices simply because they do not have a written cybersecurity policy and incident response plan?
My analogy accommodates all circumstances. It recognizes that rules can be unwritten (though organizations need to exercise caution relying upon this). Small startups that grow and mature create culture and written rules little by little. Some organizations create and maintain a library of policies, standards, procedures, and more. The analogy works for all of that.
I discuss this more in my article on rethinking the rules pyramid.
Our finished rules platform
Let's take a look at what our finished rules platform should look like. It is sturdy (won't collapse), nicely finished and aligns with the other platforms. Thanks to our label, we see this platform includes written rules (policies, procedures, etc.) and unwritten rules.
But we want to see how we could build it, even if we build little by little, over the years.
And we realize not every organization has all of these written documents for all areas of operation.
So next we look at how this platform might be built, for example in a brand new company.
A rules platform relying only on "unwritten rules"
I have said this before, but sometimes unwritten rules are not worth the paper they are written on.
That said, we must recognize that organizations and supervisors issue verbal instructions. This plus corporate culture is important towards individual action and needs to be recognized.
We cannot insist every rule be reduced to writing -- that would be overly cumbersome.
And we cannot expect a brand new startup to have a full suite of policies and procedures.
This means the internal rules platform can be built without written rules. Think of the platform as a box, and depending on the strength of that organization culture, the box is paper, cardboard, sheet metal, or thick steel.
Again, I generally do not recommend relying on unwritten rules, for many reasons we won't get into now.
Lets create some policies
A good way to start building written internal rules is with policies, which are normally general (not specific or detailed) and do not require frequent update or change.
Policies are like pillars, which strengthen our internal rules platform. Good policies are steel reinforced pillars that add substance and bracing to the existing culture and unwritten rules, and ensure mission and compliance align.
Of course, not every policy is good. It is up to the organization to build good, strong policies that fit where the platform is supposed to be.
Now some standards
In information security, a standard may be necessary. Standards are more detailed than a policy but are less detailed than a procedure. Standards need to comply with policies, which are higher level documents.
Here, I depict standards as orange pillars that are narrower than the policies. They fill in the gaps the more general policies cannot reach. Good standards provide additional detail that the organization and employees need to do their jobs and configure systems.
Now some procedures
Procedures are the most detailed type of written internal rule, so I depict them as narrow columns.
Procedures need to comply with standards and policies.
They generally provide step-by-step instructions to accomplish a task.
The final product, our internal rules platform
I already showed you what our finished internal rules platform looks like, but here it is again now that you know what is inside.
Imagine a well built suite of internal rules, some verbal, some written, all fit and support the platform. The platform is properly aligned with laws and regulations, as well as organization mission.
Employees and the organization know what they need to do, and can focus on doing it, and fulfilling the mission of the organization.
Businesses need to build internal rules and practices that align with business needs and external rules.
We think of our internal rules as a platform, and build them with good culture, verbal instructions, policies, standards, and procedures.
Then we can think of the Three Platforms and Four Platforms to Connect concepts, consider external rules, business needs, guidance, and more.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.
- Five Components for Policy Work
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Policies and Procedures
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Rethinking the Rules Pyramid
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
This article is hosted at https://johnbandler.com/internal-rules-building, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 5/30/2022, updated 12/16/2023.