Policy management doesn’t have to suck

Introduction

Okay, I’m going to admit it: policy management doesn’t have to suck. In fact, it can be a lot of fun and very rewarding. The problem is that most companies don’t know how to approach their policies in a way that keeps them secure and their workers happy.

The policy process

When it comes to security policies, the process of creating them should be simple and effective. If you don’t have a good process that makes writing policies easy for your team, then you’re going to run into trouble. A good policy-development method should also make it easy for your organization’s users to access them. After all, if they can’t find the document on their own or figure out how to use it whenever they encounter an issue, then how will using the policy help?

Now let’s look at some examples of how we can create processes that work well for everyone involved:

Keep it simple

Since you’re writing policy, keep it simple. This should go without saying, but if you have a policy that consists of more than two pages and has pictures, you need to rethink your approach. Here are some tips for keeping things as clear and concise as possible:

Use plain language instead of technical or legal jargon. If you want to use an acronym in your policy, be sure that it is widely accepted and understood by everyone who may read the document (this includes employees at all levels within the organization).
Don’t get too technical with your writing – this makes for boring reading! Instead of using complex sentences like “As per our IT department’s security standards…” try something like “We must follow all IT department security procedures…”
Avoid passive voice wherever possible; it can make your sentences confusing or unclear! For example: “The office will be closed today due to inclement weather conditions.”
Have clear roles and responsibilities in place so there are no misunderstandings about who does what when it comes time to write up new policies or update existing ones. This could include assigning specific tasks based on who has expertise in certain areas (e.g., a content strategist may be responsible for editing language while someone else focuses on formatting).
Make sure everyone knows exactly what steps need to be completed before any other parts of the project started moving forward; this includes knowing who needs approvals from whom at various stages throughout development so there aren’t any surprises later down the line if something goes wrong along way

Alignment –

Working with leadership to create a policy that is in line with corporate culture
Working with your MSP/IT Provider to write them that align with your compliance and regulatory requirements
Working with everyone to ensure they are written with the ACTUAL business processes in place

Authorization –

Working with executive leadership, compliance officers, and legal counsel
Have a company representative with the authority to Authorize the policy but signing off

Adoption-

Having a process for end users to review, sign off and adopt the policy

Assessment –

Policy documents have a lifespan
Policies should be reviewed and updated on a regular cadence
At a minimum, they should be reviewed at least annually or when significate changes have been made

Create a policy management process that keeps you secure and your workers happy

While it’s important to keep your company compliant and secure, you also have to keep your workers happy. Fortunately, creating a policy management process that satisfies all three of these objectives is as simple as following some basic steps.

First, create a clear set of standards for acceptable use policies (AUP). This should include both an acceptable and unacceptable use policy for email and other communication tools at work, as well as specific guidelines for social media use.

Second, make sure every employee has read and signed off on this AUP — including yourself! Finally, enforce the AUP by regularly reviewing logs from systems like Microsoft Exchange Online or Office 365 Security & Compliance Center so you can see if anyone has violated any of its rules.

Typing up policy, getting it approved and distributing it may take minutes… if you don’t have any emails to respond to or meetings to attend.

Do you ever wish that policy management wasn’t so damn complicated? If so, then we’re on the same page. It’s not rocket science and it shouldn’t be that difficult to get your policies where they need to be.

It doesn’t have to take hours or days of your time just because someone else in IT has decided that it needs their attention first (and maybe even second). It’s a waste of money and resources when people keep putting off the creation of new policies until they can find “the right person” who will review them and approve them…only for these same individuals never to put pen to paper because they don’t want any part in writing something up — even if it’s something simple like “Don’t post naked pictures on social media.”

And finally, if we’re being honest here…it takes up space! So much space!

Keeping your policies up to date and having visibility into who has accepted the most recent versions is definitely not something you want to do manually.

Keeping your policies up to date and having visibility into who has accepted the most recent versions is definitely not something you want to do manually.

Policy management tools allow you to keep your policies current, automatically notify people when a new version has been published, and identify which users have clicked “I accept” on the latest policy draft. This frees up time for more important activities like ensuring compliance or making sure those binders are really secure.

When was the last time you saw anyone reading their company policies?

I’d wager that, like most of us, you haven’t had the chance to read your company policies since agreeing to them. For example—and this is just a hypothetical example—you might have signed up for an email marketing service and agreed to a set of terms and conditions that give the provider permission to send you ads based on what they think would appeal to you. And then? Well, then they did! Your inbox was flooded with emails from fintech startups trying to solve all your problems in one go or from old college friends who’ve moved away but still want their opinion heard.

But here’s the thing: no one really reads those policies anyway. The only reason people even signed up for those services was because it looked like something cool or useful and it seemed like no big deal at the time! Personally, I don’t know about you guys but I’m pretty sure none of us have ever reviewed our privacy policy before downloading an app or signing up for anything online ever in our lives (except maybe Google Analytics).

Policy management doesn’t have to suck.

Policy management doesn’t have to suck.

There are tools available to help you manage policies, compliance, security and risk. And there are tools that can help with people too. It’s not easy work—but if you’re doing it right, you should be able to sleep at night knowing the right things are being done in your name.

Conclusion

You’re welcome to try and make the policy process suck less, but if it doesn’t work out, there are other options. I recommend that you check out the Policies Pro app. It will take care of everything for you so that all you have to do is focus on your business!

The post Policy management doesn’t have to suck first appeared on compliancerisk.io – Helping with your Governance Risk and Compliance needs.