In the early 2000's, there was a reality TV show on TLC called "What Not to Wear." The show's premise involved giving poorly dressed individuals a guided shopping spree and the makeover of their dreams. While the show was not about policy writing, believe it or not, the lessons learned from the show can be very much applied to the process of writing a policy.
When it comes to writing a policy, wisdom is key. You must know what not to write before you can know what you need to write. The purpose of this article is to put policies into a 360-degree mirror and shed some light on a few areas which may need a little care. So, get out your policies and call me Stacy London. It's time for a policies makeover.
Mistake #1: It's the Wrong Size
Just like how clothes can be the wrong fit, policies can be the wrong size, too.
- Policies which are too broad can leave out concepts which may need to be addressed. For example, I cannot tell you the number of times I have heard the question, "Do you have a cybersecurity policy?" My response: "Yes, which one?" Cybersecurity is a big idea. Much like an information security policy, a cybersecurity policy often better exists as a series of policies designed around the topic of cybersecurity (e.g., access controls, encryption, malicious software protection, remote access, etc.).
- On the other hand, policies which are too specific can be dangerous, as well. The more specific the policy, the harder it is to follow, and the more times it will have to be approved when changes are made. One place we often see policies which are too specific is in relation to vendor management. A vendor management policy does not need to go into all the details about how an organization manages their vendors. The details go in the vendor management program. The policy should be much higher level.
Writing a policy is about governance, risk management, and compliance (GRC). It is about defining behavior and offering guiding principles. When policies are too broad or too specific, they can miss the mark.
Mistake #2: It's Missing Some Context
Question: What do your favorite old t-shirt and your "Cloud Computing" policy have in common?
Answer: Without context, neither of them makes sense.
When writing a policy, it is important to include context so the policy can communicate most effectively with its readers. Some examples of context could include:
- Definitions: It is important to define potentially messy terms and acronyms. For example, if you were writing an information security policy and you used the acronym "ACL," you would probably use the term in the context of an "access control list." If, however, your reader's history was in sports medicine, "ACL" suddenly means something very different.
- Justification: Why do you need this policy and why is it important for the Board to approve it? For example, while it might be obvious to you that you need to implement a new "Remote Work" policy, others might not know about the risks associated with using organization-owned devices outside the office or the risks of printing confidential documents at home.
- Keywords: In technology, we use a lot of terms to describe similar things. For example, think about the terms vendors, third parties, service providers, and outsourcing. Each of those terms can be used to describe the organization's relationship with an external entity, but it is important to make sure all keywords are included (and defined) in the policy to make the reader's life easier.
At Tandem, we have a dedicated "Commentary" field on our information security policies to house exactly these kinds of information. These things are not necessarily "policy" language because they don't define behavior. What they do though is lay the foundation from which the rest of the policy grows. Context is key.
Mistake #3: It's Like Déjà Vu
I confess: If I find an article of clothing I love, I'm going to buy it in every possible color. Well, not every possible color, but I do have the same cardigan in three different colors. One of my coworkers recently noticed and asked, "Wasn't that a different color last week?" Why yes, yes it was.
The point: Repeating things can be risky, especially when it comes to policies.
While policies need to cover all the bases, having multiple policies which talk about the same thing again and again can make readers feel like it's Groundhog Day. This is especially problematic if the duplicate content gets out of sync.
For example, let's say your "Change Management" and "Patch Management" policies have content which overlaps (e.g., authorized personnel, frequency of updates, update processes, etc.). Instead of rehashing the same content in both policies and risking potentially conflicting information, just make a note on the "Patch Management" policy which says, "See the Change Management policy for details." You will thank yourself later.
To see other examples of related policies, check out our article on the Key Sections of an Information Security Policy.
Mistake #4: It's Ugly
When preparing to attend an important event, we want to put our best foot forward. We want to walk in feeling like James Bond or Audrey Hepburn, not the human equivalent of an ugly Christmas sweater. If this is as true for you as it is for me, why are we so often okay with taking the policy equivalent of an ugly Christmas sweater with us into the board room?
There's an old adage that says, "You should not judge a book by its cover." In the era of modern technology, eye-catching social media posts, and infographics, this just doesn't hold water anymore. We judge documents in an instant. If it isn't visually appealing, this now says something about the level of quality or effort put into the document.
Policy document design can say a lot not only about the level of detail people put into caring for their policies, but also their technical skills and resourcefulness. The "Ugly Policy Document Hall of Fame" is lined with candidates, including:
- Mismatched fonts. If Times New Roman size 14 is used for one sentence and Arial size 8 for another, this is a bad look. It's like wearing two different shoes.
- Mismatched ordered lists. Whether you use "a, b, c," or "1, 2, 3," or if you're a Roman numerals person, the bullet formatting should be consistent and should improve a policy's flow, not distract from it. You wouldn't wear a tux with flip flops.
- RANDOM ALL CAPITALIZATION IN SENTENCES. Why are you yelling at me?*
- Inconsistent text spacing. Why? Just… Why?
In short, if policies are formatted in such a way that the formatting distracts readers from the purpose, the policy is lost. The whole point of writing down policies is so that others can read and understand them. If the document formatting impedes that goal, it might be time to revisit, call in a professional document designer, or start using a policy management application which designs the documents for you in an instant.
Just like a good wardrobe, policy document design should be timeless and classy.
*Disclaimer: Some scholars say that in legal documents, sentences should be written in all-caps to communicate with the reader that they are waiving certain rights. That said, unless your policy is actively taking rights away from your employees, please consider not using all caps.
Mistake #5: It's Not Used
One of my favorite parts of any reality TV series is when they show "where are they now?" Unfortunately, many times what appears to be a "happily ever after" on the show ends up just being "old habits die hard." Closets remain lined with the wardrobes of yesteryear and people forget or choose not to follow all the valuable lessons learned.
If nothing else from this article connected, this is the one takeaway I want you to have:
The biggest mistake you can make when writing a policy is writing one which is or will not be followed.
When the policy does not match the practice, the door is opened for noncompliance, audit and exam findings, and worst of all, gaps in risk management. Sometimes, this can happen unintentionally, such as if the policy started from a template and wasn't customized. Other times, it can be completely intentional because the policy is written in such a way that it is not achievable.
A policy is written to communicate the ideal state of the organization. However, this "ideal state" must be feasible. Policies need to accurately reflect you and your business. Whatever you use for your policies, whether it is Tandem or something else, customize it. Make sure the policy is useful.
Happily Ever After
Just like Clinton and Stacy, policies are your friends. Help them help you. If you're ready for a policies makeover, check out Tandem Policies. Our policies management software is designed to help you create and maintain your enterprise-wide policies. Tandem comes with a default list of more than 50 information security policies, designed to act as a starting point and get you going in the right direction. Sometimes, we all need a little help. Learn more about how Tandem can help you at Tandem.App/Policies-Management-Software.