Friday, March 7, 2008

Enforcing Coorporate Policices

Bad advices come from everywhere. One of the struggles of security is to teach management and employees alike the importance of policies and regulations, and the need to abide to them.

In an organization, there are rules. Rules are there to be followed - like it or not. To make sure that the rules are followed, most of them are written down as procedures and policies. That makes it easy to control, and change when necessary. The challenge is that not everyone follows the rules.

Policies enforces behavior

Humans are different - some are energetic and full of ideas, some are very down to detail and control. Others prefer a nice workplace where everyone is happy and calm. Others again like to be in control and drive their own agenda forward. The more people you put in a room, the more diverse the group will be. And without a clear leadership and management, the group will not be able to efficiently come up with anything but noise.

In a corporate world the same scenario is true. You need to control your employees and join their efforts to push in the same direction. On a day-to-day basis, policies are used to control the behavior and to put in place a set of methods and processes.

No incentives - no followers

One very important thing about policies is the fact that if you give no incentives to follow them, people will soon start to make up their own ways of doing things. To the one employee it may make perfect sense to use his laptop to store personal images and share music. To the company, this sort of behavior may result in lawsuits and liability.

The incentives will vary from organization to organization. The most important is that if an employee does not follow the rules, then a penalty must occur. The penalty should be widely known, and practiced.

A few years ago, a Norwegian oil company tried to sack a team of employers that had view adult movies at one of the oil rigs. The company did have a policy that prohibited any kind of adult material to be viewed using their systems. So you would think they had a clear case. Not so, the policy had never been enforced. The company had to take the employees back in, and even pay penalty.

The lesson to be learned is simple - when you have a policy in place, make sure you enforce it.

Technology is a supplement

Technology should supplement policies - not the other way around. You should never invest in (security) technology and then make the policies.

The purpose of security technology in regards of policies is to enforce the policies, to control that they are being followed and to trace possible violations. To do so, you first need to know the behavior you like to have in place (the policy), and then you invest and set up the necessary tools to check if the policy is followed.

Technology include tools that removes threats, tools that enforces a particular behavior, tools that logs and analyze the movement and use of your employers, as well as tools to audit, control and change policies itself.

Today there is a great demand for this kind of technology. The driving force is not so much the company itself. The driving force is the need for the company to stay compliant to public regulations like SOx, HIPAA, PCI and the like. These regulations come in different flavors, from international, to regional, via national laws. And finally as policies in the company. Then add industry standards like ISO. Clearly you need some technology to help you stay on top of the problems. Still, always remember to have the policies in place beforehand - the technology is only there to support and enforce your policies.

Review and audit

If you like it or not - or do not understand the reason behind the policies - then ask around internally. If you have the knowledge and the power, you may change them – a process that should be a major part of the rules, and it is called auditing.

Auditing is important to keep your policies and your employees up to speed.

If you have a policy that your employees see is useless, or wrong, they will try to find ways around it. You need to teach them that if the policy is wrong, the right way of doing things is to change the policy. It must be easy to report errors. It should be positive to report errors.

Errors happen all the time. If you if fail to catch the errors, how will you be able to improve?

The Toyota Production System is one way to do this. The purpose is to improve and manage quality. Toyota does this by emphasizing the need for improvement. They proactively ask their employees to come up with better ways to do their job.

Rule breakers

In every organization you have the people who always seem to be breaking the rules. Some are in the R&D - and there they are doing a great job. But other employees who break the rules with intent must be identified and removed. They are working against the target of the company, and they are reducing the inner bonding and cooperation of the team.

Most importantly, rule breakers impose a risk to the organization. You will never be able to control everyone 100%, but most people will follow most rules if told given a reason to do so.

If you add noise to the group in form of a rule breaker, the team will soon stop following the policies. And of course - people who do not abide by the rules is more likely to sell off company secrets, impose threats to the company and be an overall liability.

The challenge is to discover and neutralize such elements. Especially since they very well may add great value to the organization by their opportunistic views and new ideas. You see them in R&D, Sales and as business developers.

The bad bones you must remove. But if you cater for them correctly, and stay in control, any organization has great benefits from these people.

Success with policies

Policies are a set of rules put in place to ensure a particular behavior. Many policies out there are worthless - either because they are not being enforced, they are wrong or outdated, or they have been put in place by the wrong reasons.

Success with policies comes by combining the right mix of incentives and controls, with regular updates and audits. But if you forget that the policies are all about human behavior, you will fail.

Article as published on


No comments: