Internal Rules Planning
by John Bandler
Organizations need to create and update their internal rules as a matter of proper organization management. This ensures the organization can properly fulfil its missions, protect itself, comply with legal requirements, and ensure long term growth and success.
I write this mainly in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. But the concepts apply across all areas of organization management.
The Three Platforms plus a fourth concept recap
And I discuss these internal rules within the framework of my Three Platforms to Connect for compliance method which visualizes how legal requirements, internal policy, and organization practice should align.
The three areas to consider for compliance analysis are:
- External rules: Laws and regulations
- Internal rules: Policies, procedures, and
- Practice: or action -- what is actually done.
Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.
We see a "compliance line" and "business needs line", both of which run through the organization's internal rules and practice. Different people or departments in the organization may be responsible for each line, so sometimes there is room for discussion (and even conflict sometimes). Good organizations strive to accommodate both lines as a strong organization can do many things, including comply with external requirements, protect its information systems, and achieve its mission. Indeed, security and compliance are needed to meet all business goals.
The internal rules are right in the middle of all of this. Internal rules tell employees what do do and how the business should run, and that's important for both business needs and compliance with external rules.
Internal rules recap
Internal rules can include:
- Verbal directions, unwritten rules, and organization culture (recognizing the limits here and potential for differing perceptions and understandings)
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule)
- Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.
Topics for internal rules can include:
- Incident response
- Conflicts of interest
- Employee rights and responsibilities in the workplace
- Documents on how to manufacture goods or provide services.
Planning to create or update internal rules
Organizations need to create and update their internal rules, so now let us discuss factors that go into that. Internal rules include policies, procedures, and any direction provided to the organization and individual employees about how to go about the organization's business.
To create and update our internal rules, we need to consider the four platforms we have discussed above, plus a new concept, external guidance.
Let's discuss how all of those components feed into the creation of internal rules.
- Internal rules: Let's start here so as not to leave anything out. Existing rules inform the creation or update of rules.
- Business needs: The missions of the organization require creation of internal rules. Employees need to know management's direction and how to do their jobs.
- External rules: Laws and regulations require certain things of organizations and the employees within it. Internal rules must be in accordance with these external rules, or the company will be out of compliance and subject to legal action.
- Practice: Generally, internal rules are there to inform practice and action, to tell the organization and employees what to do and how. Sometimes, practice informs internal rules. Good practices can be documented and formalized in rules, and bad practices can be identified and prohibited by rules.
- External guidance: Organizations may adopt external guidance, when creating their internal rules. Guidance is not mandatory, but may be very helpful. For example, there are many information frameworks which are voluntary but helpful for organizations to consider, adopt, or adapt. If you are reading this while considering how to update your organization's internal rules, this article too is guidance which may help you conceptualize your rules, and my policy checklist might further help you. Guidance is voluntary, so you are free to accept, reject, incorporate parts, modify, or however the organization chooses.
Businesses need to build internal rules and practices that align with business needs and external rules. Conceptually, we can think of the Three Platforms to Connect (for compliance), then the Four Platforms and Five Components concepts to consider external rules, business needs, guidance, and more.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know. If you are looking for more resources on policies, this website has it, as does my online course at Infosec Institute.
- Policy Project Planning and Execution
- Five Components for Policy Work
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Internal Rules Building
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Policies and Procedures
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
- Coming soon, policy course at Infosec Institute.
This article is hosted at https://johnbandler.com/internal-rules-planning, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 5/15/2022, updated 10/26/2022.