Picture this: You have a big event coming up, like an audit, an exam, a board report, you get the idea. You know they are going to ask for your policy review meeting minutes. What exactly are you going to give them?
This is a question that faces community financial institutions multiple times a year and truth be told, it's a stressful one. We have a lot of policies. We know we're supposed to be reviewing them on some kind of basis because we're good and we believe policies exist for a reason. But that still doesn't relieve the pressure because we know policies are only as good as the people who implement them.
More than that, our word is only as good as the paper trail we leave behind us.
I recently had the opportunity to visit with the Boost Consulting team, a Tandem Partner. Boost is a team of professional and experienced information security consultants. I asked them a simple question, "How do you conduct a policy review meeting?" What I found was a deep well of knowledge I want to share with you today.
While Boost's practices vary from client-to-client, based on things like the institution's size, risk, and complexity, their practices can be summed up in six steps.
Step 1: Do the Leg Work
A policy review meeting is only as good as the policy being reviewed. If there are cracks in the foundation, the results are going to be questionable at best. Before you even get to the review process, the first and most important step is to ensure the policy is written well and is followable. For more information about how to write a good policy, check out our articles on 6 Tips for Writing an Effective Information Security Policy.
Step 2: Schedule the Meetings
Frequency is everything. Policy review meetings need to happen on a regular basis. Most institutions find quarterly to be a good fit, but even that's flexible. As a general rule, the more policies you have, the more often you should have meetings to review them.
Scheduling policy review meetings to occur on a more frequent basis offers a few benefits.
- It keeps workloads manageable. This is simple math. Instead of reviewing 60 policies in one sitting, you'd review 15 across four. While it's the same amount of work, spreading meetings out makes the workload easier to manage.
- It keeps data accurate. For example, let's say you have a review item that says, "review IT asset inventories for accuracy." Would the inventory be more accurate if you reviewed it once a year or four times a year? (It's a rhetorical question.)
- It keeps awareness high. When policies are more visible, they seem less like a compliance issue and more like a practical risk management tool. Getting policies in front of a committee with wide representation helps make sure everybody stays on the same page.
Bottom line, determine the frequency that would work best for you and get it on the calendar.
Step 3: Create the Agenda
A few weeks before each scheduled meeting, create your meeting agenda. Here's what this means.
- Look at what your policies say. Since your policies define behavior, the review process is about checking to see if those behaviors are being performed. This is why it is so important to start with good, well-written, and enforceable policies.
- Turn policy requirements into review items. For example, if a policy says, "perform risk assessments on vendors," the review item could be "Review the vendor management program to ensure vendors are being risk assessed."
- Create a list of the action item statements. This is going to be a personal decision, but look at your list of action items and pick the ones you want to accomplish during the upcoming meeting.
As a side note, if you're looking for meeting agenda inspiration, look no further. Tandem Policies can do this for you. Our template set of Information Security Policies comes populated with sample review items which can be generated in a meeting agenda format with the click of a button. Don't take my word for it though. This product is used by the Boost Consulting team who say it is their favorite Tandem product due to its versatility and usefulness. See what Tandem Policies can do for you at Tandem.App/Policies-Management-Software.
Step 4: Distribute the Review Items
Once you have the meeting agenda ready to go, the next step is to disperse the work.
- Assign responsibility for each item. While the agenda might be created for your "Security Committee" meeting or maybe an "IT Steering Committee" meeting, the odds are that each review item only needs to be checked by one or two people. For example, if your review item says, "review the list of terminated user accounts," that's not a twelve-person job; that's something Sally can do by herself.
- Most importantly, ask the responsible parties to do the review before the meeting. This is a critical step. Continuing with the example from the previous point, would you really want to spend twelve people's time watching Sally do the user access review? Absolutely not, and Sally wouldn't want that either.
One of the biggest lessons I learned during my visit with Boost was that (despite what the name may imply) the purpose of a policy review meeting is not to review policies. A policy review meeting is a place to discuss the results of the review, which brings us to Step 5.
Step 5: Have the Meeting
At the appointed date and time, pull out your meeting agenda and gather with your fellow committee members to discuss review findings. To use the "four helpful lists" from Tom Paterson, during the meeting, it can be helpful to ask:
- What is working? When things are going well and people are implementing the policy according to expectations, that's great! Give yourself (and your team members) a pat on the back and keep up the good work.
- What is broken? When policies are not being implemented correctly, or even not at all, that's a red flag. Take a step back and ask the all-important question: "Why?" Do a root cause analysis to figure it out.
- What is missing? When you find things during the review that you didn't know before, that's a clue. Determine if any policies need to be created, updated, or removed.
- What is confused? When people are trying to follow the policy, but the dots just aren't connecting, that's a point to clarify. Figure out what you can do to remove the roadblocks for your team to be more successful.
The purpose of a policy review meeting is not necessarily to say, "everything's great!" The point is to take a snapshot of where you are at and make plans to grow into something better.
This is a point where having an external consultant may be an excellent benefit for your organization. While it may not be obvious at times which questions you need to ask, consultants have experience in not only asking thought-provoking questions, but also creating practical solutions. Believe me when I say, they've seen it all, and their wisdom can be an incredible asset during these review meetings.
Step 6: Create an Action Plan
If the review meeting was a success, there are likely to be action items generated from the discussion. Create a list of these action items and track them through to completion.
You can do this by using something as simple as a Word Document or Excel Spreadsheet. If you want to take your tracking to the next level, consider using a tool like tasks in Tandem Policies. Assign responsibility and schedule reminders to keep everybody on track.
The goal is to formalize your meeting documentation into something that functions as a communication tool. This resource can then be used to show what went well, what you're working towards, and what you've completed for a 360-degree view of how your policies are doing.
Bringing this article full circle, when it is time for your next big event (e.g., audit, exam, report, etc.), you have a document that is ready-to-go that accurately reflects the status of your policies, which can give you confidence and help you be the expert in the room.
Let's Do This Together
If you're looking for some assistance with your policy review meetings, you've come to the right place. Turns out, it's one of our favorite things to do! Tandem Policies can help you automate your existing processes and our Tandem Partners, like Boost Consulting, can bring knowledge and skills to help you level up. If you'd like to see Tandem in action, sign up to watch a demo of Tandem Policies today.