A series of recent bloody court battles, well-documented in the press, have highlighted the importance of clear policies governing the use of an organization’s information systems.
While the majority of media coverage has focused on the use of email to send lurid or offensive messages, the ramifications go far beyond the need for 'acceptable use' policies and show a weakness in an organization's information security and monitoring at work efforts.
Despite the clear need for a fresh approach to corporate policies, the vast majority of organizations still have a long way to go to satisfactorily cover this issue. Figures released by the U.K. Department of Trade and Industry suggest that only 49 per cent of U.K. organizations have policies in place to ensure compliance with the Data Protection Act (source: Information Security Breaches 2002).
Even those companies who have developed policies may still be facing trouble if they are not properly managed. Simply drafting a policy statement and posting it on the intranet does not constitute 'effective management.' Recent research undertaken by PolicyMatter found that only 22 per cent of U.K. organizations currently actively seek specific agreement from employees that they will abide by policies - suggesting that at least 78 per cent of organizations do not know if their published policies have been read by staff, let alone understood.
When we consider that 2003 is likely to bring a raft of new legislation, a greater emphasis on compliance by regulatory bodies and an increasing volume of litigation - this situation gives cause for concern.
Organizations are not helped by a lack of a recognized 'best practice' in policy management - which means that companies are left to devise their own methods of deployment and auditing, often learning only from their own mistakes.
The five-stage plan
The critical elements of policy management are common to most types of policy - although legislative and regulatory complexity can make some harder to manage effectively than others. PolicyMatter has created a five-stage plan to help organizations take control of corporate compliance and realize a higher value from their policies.
Stage One: Establishing policy requirements
Any policy issued by an organization should be compatible with - and a reflection of - all applicable laws, codes of practice, regulatory requirements and best practice. Information navigation is the key to success here. There is no shortage of readily-available information, such as the internet, trade publications and third party professionals, which can all be valuable in setting the parameters for what should, and should not, be in the policy.
While legislation itself may run to hundreds of pages, organizations need to be able to draw out the important and relevant parts to them, creating a policy that covers all the necessary bases but is still easy to read and understand.
The final decision, however, on what goes into the policy must be a matter of personal and commercial judgment. Despite a complex legal backdrop, a policy that sets out to be unnecessarily comprehensive will fail as a usable document.
Stage Two: Drafting policies
The sheer volume of legislation to be considered when drafting a policy can be daunting. In the U.K. the Data Protection Act, Regulation of Investigatory Powers Act, Human Rights Act, the Information Commissioners Code of Practice and BS7799 (among others) may well each affect how policy is written - not to mention any sector-specific regulations. Other countries have similar legislation.
However, it also important the policy is drafted in a way that reflects the culture (or desired cultural change) within an organization. A different effect and tone can be achieved solely by the use of different language. Whoever is charged with creating or collating policies should also ensure that there is a consistency of and language across the suite of policies.
The policy creator should try and achieve consistency of across a suite of policies. Above all else, the writers of policies should strive to use plain language at all times and shy away from legalese or needless jargon. A policy needs to be capable of being understood by all who are affected by it and should be unambiguous.
Before a policy is deployed for the first time, the organization should always consider whether a consultation process needs to be undergone, either directly with those affected by the policy or via a staff consultative body.
Stage Three: Policy deployment
The chosen deployment mechanism needs to be able to target the right people with the relevant policies at the right time. As some policies are appropriate to all employees - and others to only select groups - care needs to be taken to ensure that the deployment vehicle is both rapid and reliable. Ideally, organizations need to consider the deployment requirements for each policy individually.
For some policies, a passive approach such as posting a policy on the intranet is acceptable - such policies are usually those which bestow a benefit on the employee and where it is safe to assume the policy will be sought out. However, for most information security and acceptable use-type policies, the line of least resistance should be avoided as an approach to deployment. For these kinds of policies to be successful, it is imperative that the organization 'knows' that policy has been deployed to all relevant parties and that it can prove that employees have understood what is required of them.
Most currently-employed methods of policy deployment - whether by email, intranet or hard copy - do not make it easy to audit the success of policy deployment.
Stage Four: Testing understanding and affirming acceptance
For polices that are critical to corporate compliance, the organization needs to be in a position to track the penetration of the policy. This is a twofold process. First, it means collating evidence that individual employees have received the policy and have made a binding agreement with the employer to comply with the policy. Recent legal cases in the U.K. (for example, that of Clarke vs. TXU), have demonstrated the need for organizations to protect themselves by means of 'effective policy management,' incorporating policy acceptance by the individual.
The second stage of this process is more difficult and is often conveniently ignored by many organizations. Testing employee acceptance is traditionally extremely labor-intensive and there has not, until recently, been any onus on organizations to prove that their staff have agreed and understood policy.
Stage Five: Auditing and reporting
Finally, those charged with deploying policy need to be in a position to readily generate reports on the deployment process. On a macro level, management reports to show compliance at a glance are valuable to those leading an organization. An ability to share reports with interested parties (partners, customers, regulatory bodies) to help authoritatively demonstrate compliance can be a useful tool, for example to win tenders or deal with unwelcome scrutiny. Moving down to the micro level, it is an unfortunate necessity to be able to identify a particular individual or group to whom a policy has been deployed, and ascertain whether and when they agreed to abide by the policy and exactly what was included in that agreement.
IT and information security policies are no longer just a 'nice to have' for large businesses. Increasingly strict legislation and the attentions of industry watchdogs focusing in on compliance, policies are now essential for all organizations. Management of these policies must be taken seriously - the risks associated with not doing so are simply too high.
Organizations who take policy management to heart should, over time, notice a discernable reduction in the resources that need to be allocated to instances of compliance breaches. When policies are properly drafted and communicated - and employees understand their individual obligations - organizations tend to see issues being taken more seriously and a more positive attitude among staff to achieving compliance.
Although by no means a failsafe route to achieving 100 percent compliance, the five stages outlined in this article should help any organization increase the value of corporate policies and help reduce the risk of security and compliance breaches.
(A full white paper entitled 'The Five Critical Stages of Policy Management' is available from www.policymatter.com)
Nathan Millard, a lawyer with leading U.K. law firm Morgan Cole (www.morgan-cole.com), specializes in employment law and has experience of the issues around the practical creation and deployment of policies in a wide range of organizations.