Is Your Company Security Policy Worse Than Worthless?
One of my earliest cases as a private investigator involved a chain of auto repair shops where managers at some shops were suspected of pocketing cash payments from customers. The owner also suspected that some employees were sneaking into some of the shops late at night after the business was closed and were using company facilities, tools, and diagnostic equipment, to work on friend’s cars.
My investigation involved posing as a customer, hidden cameras, targeted surveillance, and some forensic computer analysis. At the conclusion of the investigation I was able to establish that more than one shop manager was routinely pocketing cash payments from customers and in addition to using the shop in the evenings after business hours to repair friend’s vehicles, one manager was running a late night under-the-table car repair business using the company’s facilities and equipment.
One of the suggestions I made to the owner was that he should add some protocols to the company’s security policy about how managers handle cash payments from customers and also include some rules about after hours use of shop facilities and shop equipment. To my surprise, the owner said his company had no policy. At the time, I was surprised. But since then I have discovered more and more small businesses (even some medium sized-businesses) that have no written policy pertaining to security. Of those businesses who actually had a written policy, many had not reviewed or updated their policy in many years.
The importance of every business having a security policy.
Very few businesses in the United States are mandated by law to have a security policy. Establishing a policy is not likely to solve security problems but it is an important starting point. A well-crafted policy provides a framework for identifying security risks and outlines how the company plans to protect those assets. It is also an unequivocal announcement from management that the company has a serious commitment to security and is a way for the company to commit to taking steps to secure assets and keep personnel safe and secure.
Often policies are a mishmash of rules and procedures, guidelines, and maybe some standards, all rolled helter-skelter into one document and called a “Security Policy.” There is a difference between policy, guidelines and rules, and procedures, and these distinctions are not just academic.
In brief, policies are overarching principles from management and are meant to establish a tone and influence behavior. Standards are levels of quality or achievement and typically involve industry “Best Practices.” Guidelines are statements meant to guide behavior. Rules tell a person what to do or not to do in a specific situation. Procedures are a fixed way of doing something.
Rules and procedures are important parts of a well-crafted policy, but the policy must come first. Standards flow from the policy and guidelines and rules flow from the standards. This is followed by procedures.
Effective policies form the foundation of the company’s entire approach to security and creating a practical and effective policy is not something best done on a whim or by someone who lacks the skills or motivation to do it right. Crafting an effective policy involves insightful planning and numerous sequentially layered steps. Often it is best to hire someone who has experience in security policy development to tackle the task or at least provide assistance.
Good policies come in many shapes and sizes but the basis of a well-crafted Physical Security Policy includes:
* ASSET IDENTIFICATION. Identifying the assets that need protecting
In a physical security setting this includes buildings, parking lots & other premises, interior rooms & offices, points of entries, inventory, equipment, and many other things.
* ASSET VULNERABILITY ASSESSMENT
Effective asset identification should be coupled with an asset vulnerability assessment as not every asset requires the same level of protection.
* ASSET PROTECTION STRATEGIES
What is the plan to protect specific assets?
Who in the company needs security training and what type of training is best?
* EVALUATION and REVIEW
How will the effectiveness of the security policy be measured? How often will the security policy be reviewed and modified as needed?
Once these elements are articulated and documented in a properly structured Security Policy, then (and only then) should standards, guidelines and rules, and specific procedures be developed that support the overall Security Policy.
The elements in a physical security policy can be expanded depending on the company and business needs. Often, the physical protection of data is also addressed in a Physical Security Policy and the policy is married with an “IT” or data security policy.
Is your company security policy worse than worthless?
If a company does not develop their policy through a systematic process of asset identification, risk assessment, protection strategies, training of key personnel and provide for an evaluation and review process, the security policy ends up just being a fancy document gathering dust on some manager’s shelf. When that happens, the security policy is worse than worthless.
How can something be worse than worthless? Having a policy that is a haphazard conglomeration of policy, standards, rules, and procedures that just “evolved” over time or was created by someone who lacked the skill or motivation to get the job done right, creates confusion among personnel. When confusion occurs, personnel are left to fend for themselves. Sometimes they get it right – sometimes they do not. And worse yet, sometimes supervisors try to enforce rules and procedures that are not consistently followed or enforced. This results in low employee morale, Human Resource type complaints, and sometimes even lawsuits.
Businesses can minimize the occurrence of all of these problems by having a skillfully constructed and effective policy followed by practical security rules and procedures.