Policies constitute an established course of action directed toward accepted business goals and objectives. Procedures are methods by which policies performed. Standards are definitions of quality generally accepted by industry. An example of standards is the Institute of Electronic and Electrical Engineers standard 802.11. This is a measure for standard information technology telecommunications and information exchange between information networks.
Each procedure has an action, decision or repeated step. In other circumstances, the word procedure can also take a variety of usages such as, Standard Operating Procedure (SOP), Department Operating Procedure (DOP), or Quality Operating Procedure (QOS). Regardless of the terminology used, policies are written to carry out the details of the business process. In some business cultures, there may not be a significant distinction between policy and procedure. In other cultures, there may be a great difference between policy and procedures.
In times passed, there were many businesses that did not think they needed well-developed policies and procedures. However, in today's legislated world, there is hardly an organization that is not specifically addressed by laws and regulations. For example, in the area of healthcare, data collected must undergo a high level of access restriction because failure to do so could result in criminal or civil penalties. The content of privacy statutes, directed to healthcare providers, is detailed in very specific language.
Organizations must ensure that the content of policies and procedures does not violate rules, regulations, and laws under which they must operate, and good business sense. The rationale for establishing policies that are disseminated throughout an organization is twofold:
1. They establish clear and consistent processes. Organizations must show widespread uniformity in applying laws and regulations.
2. To allow employees, who are not legally minded, to have confidence that they are performing their duties in conformity with the law. For example, a township finance office has the responsibility of accounting for sales tax revenues collected from local businesses. Local ordinances require such taxes to be paid to the township government one quarter after collection. Recently, the township council decided they would offer certain qualifying business rebates on their collected sales taxes as an incentive to remain in the township, as there had been some difficult economic times. The township had a policy that described the process for creating, amending, and depreciating policies. Accordingly, the finance office drafted, vetted, and implemented a series of policy changes. Policy changes were proposed by the finance office and vetted through their legal counsel, the audit unit, and the township executive committee. After all parties approved the policies, they were adopted and installed. Corresponding changes in check processing software were made for tax rebate checks having two signatures: (1) the signature of one of the five township executives and (2) the signature of the comptroller. This policy observed changes made to the law and the internal controls of least privilege and separation of duties. Under the policy, no one person or office could authorize the release of revenue rebate checks.
There are many other reasons for documenting policies:
Performance standards. Written policies enable managers and their subordinates to define and understand their requirements, boundaries, and responsibilities. Policies create performance baselines to which subsequent changes can be referred, enabling orderly process changes to be made.
Performance metrics. Policies enable managers to determine whether a subordinate's action was simply poor judgment or an infringement of the rules. If specific rules did not exist, then employees could not be held accountable for their actions. Having a written baseline of performance expectations, those in authority can decide if disciplinary action or reward is warranted.
Management metrics. Policies provide substantial freedom to employees in the performance of their duties, allowing them to make decisions within previously defined boundaries. Well-defined policies allow employees to do their jobs without micro-managers meddling in their work. In this same vein, policies enable managers to manage by exception rather than by controlling every action and decision of their subordinates. Before an action begins, employees know the rules and are more likely to produce the right result the first time.
Quality models. The International Standards Organization developed a series of worldwide quality standards known as ISO 9000. This is a set of documents addressing quality systems applicable to most settings. They specify requirements and recommendations for the design and assessment of management systems, ensuring that goods and services reach specified requirements. ISO 9000 standards apply to most processes and require that policies and procedures are documented, understood, and executed.
The Capability Maturity Model® (CMM) process developed by the Scientific Engineering Institute located at the Carnegie Mellon University is a framework that describes key components of effective systems and software development. The CMM is very powerful as it provides the necessary detail to understand the requirements of each maturity level, allowing organizations to examine and compare their practices. In this fashion, gap analyses are completed and improvements are prioritized addressing specific needs. The CMM has five maturity levels, with each level requiring specific policies and procedures before advancing to the next level.
Both ISO 9000 and the CMM are important industry standards representing desirable and pursued quality standards. They are important to organizations in terms of process improvement, but they also are considered an excellent source for policy content.
Popular Posts
-
Nessus is a popular open-source scanner for organizations that choose not to spend the money on other proprietary products. There are s...
-
The IMP should be designed to follow some simple principles in order to be most effective. The plan should reflect the nature of the bus...
-
Often crisis responders will initiate a crisis notification through a verbal briefing. As such, it is imperative that a clear and accurate ...
-
The composition of the crisis and incident response teams should reflect the personnel required to analyze and deal with any events, fro... -
The company should either establish a permanent facility in which to manage crisis events (if the frequency and scope of crises facing its ...
-
The inability to effectively gather and share information is a frequent management failure during many crisis events both within the incide... -
Typically, the vulnerability information used by a particular vendor of a VM scanner or analyzer is stored in a database that is des... -
Definition of hazard • A characteristic or group Of characteristics that provides the potential for a loss. • Examples: Internal and e...
-
The first step in implementing a strategy for deploying physical scanners is to select a central location to which all scanners will re...
-
In many descriptions you will see the words "Critical Incident Response Team" associated with critical incidents. Many incident ...
0 comments:
Post a Comment