Starting the New Year On the Right Foot

When was the last time your organization did a comprehensive “Operational Review” of your security policies and procedures? While many organizations conduct paper reviews to satisfy oversight agencies, very few conduct actual “Operational Reviews” to assess “Operational Functionality” of the policies and procedures.

Throughout my career I have conducted numerous “Security Audits”. During many of these audits I found that many organizations had wonderfully written policies and procedures, but they were operationally impractical.

My definition of “Operational Review” is where the staff, first line supervisors, and management select security policies and assess them to determine the following:

  1. Are they “Operationally Functional”?
  2. Are they still relevant “as written”, or do they need to be revised or retired?
  3. Is the staff following the policies and procedures “as written”?
  4. Due to changes in operations and/or security levels or other concerns, is there a need for new policies and procedures?
  5. Does the staff know the policies and procedures?
  6. Has the staff – at every level – been trained in the security policies and procedures?

The next step is to conduct interviews with the staff to ascertain if they:

  1. Are using the policies and procedures as written (if they are not, why not)
    Examples:
    • They do not “function” as written
    • They are outdated
  2. Have any suggestions on how to improve the P&P’s to make them more “user friendly” and “Operationally Functional”
  3. Are followed on every shift – as written (Does the staffing level affect how policies are followed?)

It is crucial for the staff to be able to use the policies and procedures, as they are written, to perform their duties. Failure to do so can create legal problems for the organization (There is no defense for violating your own policies and procedures.). Additionally, not having “Operationally Functional” policies and procedures can create dysfunction and inconsistencies within the security operations, thereby creating a “weak link” in the overall security operations.

For years I have been a strong proponent for “Operationally Functional” policies and procedure because policies and procedures are the administration’s mechanism for informing its people how it wants the security operation to function.

Ambiguous, vague, and/or wordy policies and procedures can leave large loopholes for “line staff” to interpret the “true” meaning of the policy, and what procedures they must follow. However, I admit that there may be situations where the line staff must use their own initiative to manage the situation. My concern is when the “line staff” has to employ their “own means” to fulfill their duties and responsibilities,. …. the “exception becomes the rule”.

When the “exception become the rule”, the administration really DOES NOT know what is going on within its security operations.

It is a new year, a fresh beginning therefore, take this opportunity to start “TODAY” to put together a team to conduct an “Operational Review” of your security policies and procedures. At the end of the process, all involved will have:

  1. A more comprehensive understanding of the security policies and procedures.
  2. The assurance that the policies and procedures are up-to-date with the security operations of the organization.
  3. The satisfaction of knowing that staff at all levels will have contributed to the review.

One other thing I found when reviewing security policies and procedures was that “old” security policies and procedures were rarely retired. My definition for retiring a policy is to take it out of the active security manual and archive it.

Summary

Policies and procedures are the written guidelines, approved by management, that instruct the staff on how to perform their duties and responsibilities. Insuring that the staff follows them is the job of management and supervisors.

Keeping security policies and procedures up-to-date and “relevant “ is not an easy job but one that must be done. The time to find out a security policy or procedure does not work or that the staff does not know how to implement it is not during an emergency!

I hope all of you have a Happy and Secure New Year!