Policies, Procedures, and Governance of an Organization

This short article introduces good governance principles for organizations and focuses on internal rules and documentation. These principles apply across all areas of an organization, and especially to governance of information assets and areas of cybersecurity and privacy.

Governance is the process of how organizations manage themselves. No organization is the same, with variations in mission, size, decision making and implementation, history, culture, and more. Needless to say, there is also variety on how organizations document and follow their own rules.

Internal rules: What they are and document types

First, we explore what an internal rule might be. It could be a verbal rule or other type of informal requirement, including organizational cultural norms. Often, it should be in writing, and we will focus on written rules, especially three main governance document types.

First, consider the policy. A policy is a high level rule, approved by the highest levels of management. A policy is general (not detailed) and does not require frequent change. Details are reserved for other internal rules, or to the employee’s sound judgment.

Next might be a standard. It has more detail than a policy, might be approved at a lower level, and require more frequent updates.

Now comes the procedure, at the other end of the spectrum from the policy. A procedure provides detailed instructions (like a checklist) on how to perform a task. Because it has so much detail it may require more frequent updates as circumstances and tools change, and approval would be at a lower level.

Guidelines are documents that are not technically rules, but offer guidance for employees who can then use their discretion. There are many other types of governance documents, including articles of incorporation, partnership agreements, bylaws, charters, plans, handbooks, manuals, and more.

Why most organizations need written internal rules

Good management principles often suggest that organizations need written governance documents. These written rules also play an important role in managing legal, regulatory, and cybersecurity risks, Sometimes laws or regulations (“external rules”) may require they exist.

Sometimes informal, verbal, and unwritten rules work just fine. In very small organizations, owners, managers, and employees can agree on what needs to be done and how, any mistakes or issues can be identified and corrected informally.

At times, these so-called “unwritten policies” can be problematic. Verbal rules can be subject to misunderstanding, differing recollections, and confusion. These issues are exacerbated if circumstances put an organization’s internal rules into the spotlight, such as if there is a lawsuit or government inspection or investigation.

As organizations get larger, legal requirements increase, and they fall under increasing external rules. It becomes even more important for the organization to manage their risks properly. This starts with a review of applicable legal requirements, threats, and existing policies. A cost-benefit analysis always needs to be performed to decide whether to invest resources to create and maintain internal rules. For all organizations except those in the early start-up phase, such review may indicate that certain policies are required.

External rules, requirements, and resulting legal risks

Organizations should evaluate all applicable legal requirements, a multitude of “external rules”. External rules come from laws, regulations, contracts, principles of negligence, and more. External rules impose consequences if the organization does not comply, and that requires evaluating legal risks and how to manage them.

Legal risks from external rules extend to information governance, including cybersecurity and privacy. Managing these risks may start with the creation of written, internal rules. Further, these written rules are a good governance step towards protecting the organization.

Organizations should keep focus on the purpose of cybersecurity related regulations — to prod the organization to protect its systems and data. Thus, protection should be the primary goal, and a secondary goal is demonstrating regulatory compliance.

External rules can be sufficiently complicated that employees cannot hope to master and apply them to their daily conduct. Thus, organizations need to create helpful internal rules which align to these external rules, and help employees accomplish their mission.

Here are a few examples of external rules that relate to cybersecurity, information security, and privacy:

  • New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
  • Growing privacy laws and regulations including the Federal Trade Commission (FTC) rules and the California Consumer Privacy Act (CCPA)
  • Cybersecurity regulations for the financial and medical sectors, including New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”) and federal regulations as outlined through the Federal Financial Institutions Examination Council (FFIEC) and HIPAA and HITECH.

These external requirements essentially require that most organizations should probably put an information security (cybersecurity) policy and a privacy policy in place.

Internal rules must be created to align with external rules

Internal rules need to align to external rules, and actual practice needs to align with both. Thus, there are three important areas for organizations to consider:

  • External rules and requirements based upon applicable laws and regulations, contracts, and other legal requirements
  • Internal rules created by the organization and put into writing, such as policies, standards, and procedures, and
  • Practice: What the organization and their employees do.

Imagine three platforms, and think of the need to reduce — and watch — the gaps between them. The first platform is external rules, essentially built by the government. The other platforms need to be built by the organization, by creating a set of internal rules and ensuring the organization follows them.

Ideally, these three platforms interconnect seamlessly. In practice, organizations need to “mind the gap” in two critical places:

  • If internal rules do not comply with (or conflict with) external rules
  • If organization practice does not comply with written internal rules.

The diagram illustrates these three platforms and the gaps between them.

Drafting internal rules that comply with external legal requirements can be difficult where laws and regulations overlap or are confusing. The focus should remain on compliance with both the spirit and letter of the external rules. Knowingly ignoring or violating external laws or regulations puts the entire organization at risk. These internal rules need to be drafted for their audiences, and organization practice should align with these internal rules.

The need for cybersecurity and privacy documents

The creation and maintenance of a cybersecurity (information security) policy and a privacy policy should be a priority for most organizations. Here’s why:

  • Cybercrime is a serious threat to every organization and its customers, clients, and employees, protecting against cybercrime requires good cybersecurity, and good cybersecurity often starts with having good information security governance documentation
  • Cybersecurity is an area of increasing legal requirements
  • Incident response planning and data breach notification rules indicate that documentation needs to be in place prior to an incident
  • Privacy is an increasing area of legal requirements which may require organizations to maintain (and follow) a privacy policy
  • A proper process of developing and creating these policy documents helps organizations grow, become more efficient, and protect themselves and their customers.

Organizations meeting the following criteria should probably have a cybersecurity policy and privacy policy in place:

  • Regulated (financial, health, etc.)
  • Within New York State, or another state with “reasonable cybersecurity” requirements (or doing business with customers in those states)
  • Collecting information about customers, clients, patients, donors, or employees
  • Make any claim about their level of cybersecurity
  • Considering applying for cyber insurance
  • Desiring to protect themselves from cyberthreats.

Information governance is but one important area for organizations to consider. Needs for policy documents will extend beyond this, and important areas may include:

  • Anti-fraud and anti-money laundering practices (in certain sectors)
  • Human resource issues including hiring, firing, workplace conduct, anti-discrimination, and more
  • Organizations in the non-profit sector probably should have policies on whistleblowers, document retention, conflicts of interest, and more. It is good governance, and they may need to answer questions on their annual filings about whether they have these policies or not. Their answers must be accurate, and a truthful “yes” seems to be a preferred option.

Introducing the handy ENTER acronym

Organizations should do these things, using the helpful and memorable ENTER acronym:

Evaluate

  • external rules and how they apply to the organization
  • how to best comply with external rules
  • how to protect the organization from legal risks and cybercrime threats
  • how to prioritize compliance requirements
  • the priority for the creation and maintenance of governance documents

Newly create or update governance documents that:

  • comply with external rules
  • are clear, consistent, understandable, and helpful

Train all members of the organization (from the newest hire to the CEO) on the governance documents.

Ensure practice follows policy (compliance with internal rules)

Review and update policies periodically, and evaluate the need for new policies.

Finally, organizations should strive to banish these thoughts or statements:

  • “Maybe we can consciously ignore this legal or regulatory requirement, because we might not get caught, and even if we do get caught, the penalties might be mild.”
  • “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”

Conclusion

This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice. It also contains my opinion and perspective.

Here are other articles that are helpful:

Cybersecurity, Privacy, You, and Your Organization
New York Cybersecurity Requirements and the SHIELD Act
Privacy, You, Your Organization, and the New NIST Privacy Framework

Posted 3/17/2020

Also posted to Medium at https://medium.com/@johnbandler/policies-procedures-and-governance-of-an-organization-96ce8728a580