Solicitation of Best Demonstrated Practices

Improvements are expected in any work process over time. Often changes that appear to be an improvement reveal difficulties that were not anticipated when conceived. On the other hand, new and creative methods of handling work tasks can result in improved methods for getting the work done more accurately, efficiently or with fewer difficulties. These improved methods are an iterative method of achieving what is termed a “Best Demonstrated Practice.” This can be the result of an improved method of performing the function repeatedly, or the result of comparing how the same function is being performed in different areas of the organization or even among several organizations. In the cases where perceived improvements fell short of their glorious expectations, written descriptions of the issues faced and the reason the new idea did not materialize can help future users of the procedure see and avoid duplicating the efforts that proved unsuccessful. These same written procedures can document the improved method and enhanced functional policy in a way that can be easily distributed to others and recorded in the formal description of the organization’s work tasks. Similarly, written descriptions of current practices can be distributed to a wide audience for review, reflection, and enhancement, resulting in development of new Best Demonstrated Practices.

Tangible Reflection of Management and Technical Directives

Finally, written policies and procedures form a key component of the management opinion system because they reflect intangible operations, management, or technical directives that are often the result of board room or conference room discussions. As practical and workable derivatives of these policy statements, the written procedure ties the abstract philosophy to the concrete work task. If the directive is understood, it must be translated into a written policy statement and/or process description that is clearly written, specific, and unambiguous. The policy and procedure statement in any organization, especially as it relates to computer security practices, is where the executive mentality is manifested in the day-to-day organization operations. Without the practical implementation, management direction is no more than rhetoric that can’t be tied to specific job functions and output quality and quantity.

TYPES OF POLICIES

Regulatory

Many organizations are not totally at liberty to decide whether to develop and carry out Security Policies, or even what some of those policies must contain. Usually, these organizations operate in the public safety or public interest, are managing or administering funds or assets for their constituents, or are frequently held to close public scrutiny. The format and content of these policy statements are generally defined as a series of legal specifications. More specifically, they describe in great detail precisely what is to be done, when it is to be done, who is to do it, and may provide some insight regarding why such an action is important. Typically, this type of policy document is not widely distributed outside the particular area for which it is intended because it includes specific reference to job functions, transactions, and procedures that are unique to the organization. They are, however, often distributed to similar organizations who have the same directives and purpose. For example, security provisions directed toward a particular government entity that determines tax rates might be shared with other entities in other jurisdictions with the same objectives.

The rationale for establishing this type of policy is generally twofold (other than the explicit purpose for protecting the accuracy, confidentiality, or availability of data or functions). The first key purpose is to establish a clearly consistent process. Especially when involved with the general public, organizations must show uniformity of how the regulations were applied without prejudice. The second purpose is to allow individuals who are not technically knowledgeable in the process themselves to have confidence that those who are doing the process are doing it correctly. For example, a policy might be established that requires two employees to supply a password before a check can be printed that exceeds $500. This assures the regulator or reviewer that an individual has at least consulted with one other authorized individual before committing the funds. This policy can be effective at reducing careless errors and dissuade individuals from stealing funds without being caught.

A regulatory type of policy has certain restrictions or exclusions. For example, it is not very effective in a situation where individuals are making judgments based on the facts and environment of the moment, like the decision to send an ambulance to rescue a victim of an attack. The extensive steps involved in the process can impede the completion of the mission, which is to provide for the safe rescue of an individual in danger from sudden illness or injury. Methodical adherence to policy can risk further injury or even death. Other situations where this regulated policy is less effective is when the situation requires frequent variations from the prescribed method. A policy that has many exceptional conditions can be cumbersome, difficult to enforce, and can lead to a lax atmosphere where staff ignores the policy because of the high probability of finding an exception that applies in each situation.

These kinds of policies have been in place since policies were first developed, and will probably continue to be found in our civilized culture, irrespective of how advanced or technically proficient we become.