by John Bandler
Based on my age, and my experience in law enforcement and as a lawyer, I have some familiarity with rules.
Each of us have a different perspective. Some of us may be more rule-abiding, wishing others behave similarly. Some of us may chafe at various rules, and be more rebellious or dismissive of requirements we are subject to. Whatever our personality, we can all agree that some rules (and adherence to them) are required for society.
The entire field of law is about rules: rules of how people should conduct themselves, and rules about how to resolve a dispute about whether someone has violated a legal code of conduct, whether criminal or civil. I have written about laws, regulations, policies, and procedures, I wanted to create this article to put these concepts into more basic terms.
Our first rules as individuals
We all first experienced rules as children from our parents. Perhaps the rule we first remember is the rule not to eat dessert until we are done with our main meal, or the rule about bedtime. Many of these parental rules and teaching become part of our personal rules. And as we age we become subject to more rules from different places, including from schools and government and society.
Our personal rules
Based on our upbringing and experiences, we develop personal rules that guide our conduct. Sometimes this is known as one's conscience, ethics, integrity, moral compass, values, or sense personal honor. Obviously, our personal rules are heavily influenced by external forces.
Societal first rules
Ever since humans began living together in communities, these groups imposed rules. These rules helped insure there was food to eat, shelter, and protection. There might need to be a division of labor regarding who might hunt, gather, farm, cook, build, or fight. Individuals needed to conform to certain rules for the greater good. Of course, not every human looks out for the greater good (self-interest is an important motivator) and people have been breaking rules forever, so societies have always needed mechanisms to deter and punish rule breaking. It is also worth noting that not every rule is a good rule, but that is a separate topic. Here, we are talking about the general principles and the need for good rules.
Government rules ("external rules")
In my work as a lawyer, including with cybersecurity, privacy, compliance, policies and procedures, I find it helpful to think of external rules. An external rule is imposed upon a person or organization from outside, such as from the government. Obvious examples of such external rules are laws and regulations. Criminal laws are one important external rule we want to be in compliance with. Then there are a myriad number of civil laws, including specific statutes and general legal principles including negligence and contract.
As organizations think about what their internal rules are (or should be) they must consider all applicable external rules.
Internal rules of an organization
Internal rules are those that individuals, families, or organizations create. Parents create rules about when children can eat dessert, bedtime, curfew, and so on. One parenting style discusses these rules and the reasons for them with the child, and even sometimes involves the child in the rule making process. Rarely are these rules reduced to writing, but that does happen on occasion.
Organizations create internal rules to govern the organization and tell employees what they can and cannot do. These rules might be informal and cultural, provided directly and verbally, or in written form of policies, procedures, and more.
Growing legal requirements (external rules such as laws and regulations) surrounding cybersecurity and privacy require a degree of written internal rules. Government has recognized that "unwritten rules" are often not worth the paper they are not printed on. Government believes that an early and important step towards compliance is creation and then enforcement of good internal written documentation.
Good management practices also suggest that quality written internal rules are necessary. Some areas are too complex to rely on unwritten understandings, and employees need proper guidance. The right degree of documentation helps the organization and individuals know what to do.
Policies and procedures are the common terms for such internal documentation, but a full list can include:
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule)
- Employee agreements (codes of conduct, NDAs, confidentiality, etc.)
Well, guidance is not a rule, it is just a guide that we can follow, adapt to our needs, or disregard. But as organizations create internal rules, they might seek external guidance to develop those rules, and they might provide their employees with guidance (suggestions but not rules).
Action (what we do)
Let's not forget an important third aspect. Government creates and enforces rules for its inhabitants, and organizations create rules for its employees. The third aspect is what people actually do, their action, or practice. Those acts are either in compliance with rules or not (though sometimes it is hard to say either way). The general goal is to get people to behave in accordance with external and internal rules.
This is a good time to remind readers that this is a discussion of general principles and also point out that most rules incorporate provisions that allow for fairness and reason in interpretation and enforcement.
Bandler's Three Platforms to Connect
My Three Platforms to Connect conceptually aligns three important areas. First is the external rules imposed on us by society and government, then organizations create internal rules (which should align with those external rules) and finally action (what is actually done) should be in compliance with both.
Building internal rules
Creating and updating internal organizational rules is an important task and it should be done well.
I have read many terrible internal rules in my time, writing that is difficult to read and understand, and subject to debate about what it means. This means that even management is confused about what it means, and line-level employees are even more confused.
Good internal rules are clear and readable. They align with external rules without incorporating or creating indecipherable legalese. They clearly communicate what is expected. They are the right length and level of detail.
Good internal rules also evaluate whether there is helpful external guidance. External guidance is a guide, not a rule that must be followed.
This quick primer helps put some more complex topics (laws, regulations, policies, and procedures) within a common framework we are all familiar with ("Rules").
This short article is not tailored to your circumstances and (of course) is not legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with laws and regulations, including regarding cybersecurity and protecting from cybercrime, let me know.
- Policies and Procedures
- Bandler's Three Platforms to Connect
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
This article is hosted at https://johnbandler.com/rules, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 4/1/2022, updated 5/4/2022.