What are Policies, Standards, Guidelines and Procedures?

What are Policies, Standards, Guidelines and Procedures? In order to protect information, businesses need to implement rules and controls around the protection of information and the systems that store and process this information. This is commonly achieved through the implementation of information security policies, standards, guidelines and procedures. However, what exactly are these? This article will explain what information security policies, standards, guidelines and procedures are, the differences between each and how they fit together to form an information security policy framework.  Policies An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management. The policy outlines security roles and responsibilities, defines the scope of information to be protected, and provides a high level description of the controls that must be in place to protect information. In addition, it should make references to the standards and guidelines that support it. Businesses may have a single encompassing policy, or several specific policies that target different areas, such as an email policy or acceptable use policy. From a legal and compliance perspective, an information security policy is often viewed as a commitment from senior management to protect information. A documented policy is frequently a requirement to satisfy regulations or laws, such as those relating to privacy and finance. It should be viewed as a business mandate and must be driven from the top (i.e. senior management) downwards in order to be effective. Standards Standards consist of specific low level mandatory controls that help enforce and support the information security policy. Standards help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. For

example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients. Guidelines Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.   Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence. Procedures Procedures consist of step by step instructions to assist workers in implementing the various policies, standards and guidelines. Whilst the policies, standards and guidelines consist of the controls that should be in place, a procedure gets down to specifics, explaining how to implement these controls in a step by step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines. The Information Security Policy FrameworkEach document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead there should be several documents that together form the concept of an information security policy framework. This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it.

In order to help cement this concept, let’s use an example to illustrate how all of these different framework pieces fit together.

A policy may state all business information must be adequately protected when being transferred.

A supporting data transfer standard builds upon this, requiring that all sensitive information be encrypted using a specific encryption type and that all transfers are logged.

A supporting guideline explains the best practices for recording sensitive data transfers and provides templates for the logging of these transfers.

A procedure provides step by step instructions for performing encrypted data transfers and ensures compliance with the associated policy, standards and guidelines.

Policies, Standards, Guidelines, Procedures/ProcessesSaint Louis University has put in place numerous policies, guidelines, standards, standard operating procedures (SOPs), and processes to ensure the security of University information and faculty, staff and students' data.

Policies and Standards

IT Documentation Framework DefinitionsPolicy: A formal, brief, and high-level statement or plan that embraces an organization's general beliefs, goals, objectives, and acceptable procedures for a specified subject area. Policies always state required actions, and may include pointers to standards. Policy attributes include the following:

Require compliance (mandatory) Failure to comply results in disciplinary action Focus on desired results, not on means of implementation Further defined by standards and guidelines

Standard: A mandatory action or rule designed to support and conform to a policy.   A standard should make a policy more meaningful and effective. A standard must include one or more accepted specifications for hardware, software, or

behavior.

Guideline: General statements, recommendations, or administrative instructions designed to achieve the policy's objectives by providing a framework within which to implement procedures.

A guideline can change frequently based on the environment and should be reviewed more frequently than standards and policies.

A guideline is not mandatory, rather a suggestion of a best practice. Hence "guidelines" and "best practice" are interchangeable

Procedures: Procedures describe the process: who does what, when they do it, and under what criteria. They can be text based or outlined in a process map. Represent implementation of Policy.

A series of steps taken to accomplish an end goal. Procedures define "how" to protect resources and are the mechanisms to enforce policy. Procedures provide a quick reference in times of crisis. Procedures help eliminate the problem of a single point of failure.   Also known as a SOP (Standard Operating Procedure)

Work Instructions: Describe how to accomplish a specific job.  Visual aids, various forms of job aids, or specific assembly instructions are examples of work instructions. Work instructions are specific.

Forms and Other Documents: Forms are documentation that is used to create records, checklists, surveys, or other documentation used in the creation of a product or service. Records are a critical output of any procedure or work instruction and form the basis of process communication, audit material, and process improvement initiatives.

The Key Difference Between a Policy, Process, & Procedure (and Why it Matters For Your Business!)

Successful businesses and organizations have systems. Every employee working for a company has a set of rules to follow as they complete tasks. They may also have instructions that show them exactly how to complete each task.

While it may seem like there is no difference in this employee system there are actually important differences that determine the success of your company.

The problem for businesses is they often struggle to define three key elements:

Policy Process Procedure

Too often these three items are used interchangeably, but there are key details in each that make them necessary on their own for a complete working system. In order to effectivelydelegate tasks to others it’s important to have all three elements.

There is too much confusion surrounding policy, process and procedure. Here are the real definitions. (click to tweet this)

It’s a common problem for a business to only have one or two of the three items. All three are necessary for you to complete the task and especially important for delegating tasks.

Also, incorrectly defining each of the three items can cause confusion leading to further inefficiencies, which cut down on productivity and profitability.

If you find yourself asking the question, “Why aren’t my workers understanding the process and why can’t they keep up?” you may have an problem with policy, process and procedure.

 How to Define and Create Policies, Processes and Procedures

In this article we will define each of the items and show you how to create all three so your business operates smoothly and you can grow by passing tasks on to others.

Additionally, we will cover the differences between all three so you can see specific situations when each is applied. This should give you a complete understanding of how to set up all three items for your business.

You’ll be on your way to operating more efficiently, which should lead to even more success.

 

Overview: Policy, Process and Procedure

Image Credit: KCC Group

Before we get into the details let’s take a step back and look at the big picture of policy, process and procedure.

Here are two examples of all three in action.

First, here is an example from the KCC Consultant Group including an image. The situation is a person that is driving to a new location. In this situation the person goes through the system of driving, but in order to successful complete the task of reaching the destination they need a policy, process and procedure.

The policy is the list of rules or the framework for the task. In the case of driving the policy is the rules and regulations for driving.

The process is the outline of how to get to the destination. Imagine the map showing the driver where they are starting and where they are ending.

Finally, the procedure is the list of exact instructions for every turn the driver needs to take to arrive at the destination.

As you can see in this example the driver should have no problem reaching their destination efficiently. With all three elements of the task in place they can avoid hindrance.

Another example is common today. Many businesses hire staff specifically to handle social media including updates and interaction with followers. The task is for the social media manager to post updates to the various social profiles and respond to messages.

The social media policy gives the manager guidelines and rules to follow when posting updates. One rule in the policy may inform the manager to avoid responding to obvious spam messages. Another rule may inform the manager not to post any obscene images.

The social media process is the overview of how social media updates are completed. The process makes it easy for anyone, including new employees, to see what the task is and how to complete it. The social media process will delegate certain responsibilities. For example, a blog post may have a writer, a designer (for graphics) and a manager to share the post on social profiles. Each task within the overall process is listed.

Finally, the procedure gives detailed steps to the manager and others involved for completing the tasks. For posting on a social media site the procedure will list the URL for the login. The next steps will be to login, create the post, review it for any potential policy violations and finally hit submit to publish the post to the public.

Now, let’s go even deeper into each of the three elements of a task or a system.

 

Policy

Image Credit: striatic

Just like in business, Chess has a stated goal, but you have to follow the rules.

Repeatable tasks are essential in any business and organization. These tasks are those that have been tested and honed over the years so they are efficient and profitable.

However, without guidelines and rules – the policy – there is room for error. When a new person comes on the team and takes over a task they need to have a policy to follow so they don’t make avoidable mistakes.

Here is an example of the Cisco Social Media Policy. The first rule or policy is that employees must make it clear that their social media thoughts are their own and not those of Cisco. That’s a common social media policy for companies today. Another is to make no commitments on behalf of Cisco.

Safeway has an online marketing affiliate program. They have multiple policies for affiliates including a search marketing policy. One item in the policy agreement is that no affiliates can purchase branded keyword phrases on search engine advertising engines. No misrepresentation of the brand is allowed.

Google has a policy agreement for Gmail users. Rules include no sending messages in violation of CAN-SPAM, imitating others and other items that would be considered malicious.

These are a few examples of how companies and organizations use policies to eliminate mistakes and keep their businesses running efficiently. Policies are essential for many tasks in business. Anytime you have someone doing something a policy (along with the next two items) can improve your system.

Take Action: Now it’s time for you to make use of this information. These businesses have created policies that have made their organizations more efficient. The reason for rules and framework is to eliminate mistakes others have already made. It allows new people on the team to learn faster and get right into the work.

Look at a task in your company that is repeatable and inefficient. Create a policy of rules and guidelines. This is the first step to eliminating confusion when delegating tasks.

 

Process

Image Credit: Social Text

The process is the high level view or the map of the task. Remember the road map example. The map is the process laying out how you will achieve the goal or complete the task. It’s essential to have a process so an employee or partner can see what is expected and that the task can be accomplished.

D3 Creative has a published email design process. It shows prospective clients how the company creates an email design, but it’s also a great process to share with designers on the team that will be designing the emails. You can see that it’s a high level overview of each step from beginning to end.

Here is the process for designing a website published by the University of Texas. It’s another great example of how processes are high-level maps that show people the beginning and end of the task they are to complete.

Dolcera has a nice layout of its business research process. You can easily see the high level steps. It’s a guide for how to complete the steps if you are joining the team to work on the task.

Here’s a fun one from McDonald’s. It’s an overview of the process for how to prepare food for commercials. The video is an example of the process. You can show the video to someone new and they would be able to see the high level map to preparing food for commercial shoots.

Take Action: Now it’s time to create the process for the task you choose in the previous step. Once you have the policies in place you need to layout the process or the high level map of how the task will be completed by the person on your team. If the task calls for multiple people the process will include a map that includes the timing and transfer of steps. The overview gives everyone involved a clear idea of what will occur.

 

Procedure

Image Credit: Robert S. Donovan

The procedure is the step-by-step instructions for how to complete the task. This would be the exact turns a driver would take as they drive to reach a destination. This is the final step in the policy, process and procedure implementation.

Google has a procedure for posting a blog post on Blogger. It includes a step-by-step video that makes it easy for viewers to follow the steps to complete the task – posting a new blog post.

Here is an example of how to work in MailChimp. It’s a basic procedure, but a great example of how even the little things in business can be documented and given to your team members to carry out, saving you time for other items.

Here’s another one on how to send a private message on Reddit. Again, it’s a simple procedure, but one that becomes even easier with documentation of the step-by-step process.

Take Action: Now it’s time to complete the system. Create a complete step-by-step procedure for the task you’ve been working on up to this point. It’s the final item that will give you everything you need to delegate work to others.

 

All Three: Policies, Processes and Procedures

As we said earlier, all three of these items need to be present in order for a system to work. It’s difficult for anyone to complete a task without having each item. The system eliminates mistakes and makes the operation efficient.

Creating effective policies, processes and procedures eliminates mistakes. (click to tweet this)

Google has many different policies, processes and procedures. For example, a common task for people have today is uploading a video to YouTube. YouTube has a policy for uploading content and participating in the community. The policy is a set of guidelines and rules to follow when uploading videos. This page is the process. It’s a general overview or map of how to upload a video. Each of the items listed, like the how to upload page, are the procedures you need to follow to finish the task.

Another example is Basecamp, the popular co-working software. The Terms of Serviceagreement is the set of guidelines for using the software. Each task must follow these guidelines. Here is the Projects 101 page. If your task is to get started with Basecamp you can see the map of that task on the left sidebar. When you’re ready for the first step, the set of instructions on the right guide you through step-by-step. That’s the process and procedure.

Florida State College has a pretty good example of all three items for its social media program. They provide policies and rules along with an overview of best practices or a high level view of

the process for using social media. There are also exact step-by-step procedures for implementing social media presences on behalf of the organization.

The University of Montana has a complete system for reviewing its programs. There are rules for those that will review the programs. The main page is an overview of the process and each page has details about completing the task.

Take Action: Complete your system. Finish off the policy, process and procedure. Review it to make sure you would be able to understand everything. Then pass it along to someone else and see how he or she does.

 

Create Your Policies, Processes and Procedures Using This Method

Image Credit: ArtNeedleThreadStitches

First, create a policy for the task of your choice. For example, answering email. Let’s say you are a busy person and you don’t have time to filter your own email. We’ll create a system using the method above.

Your policy will have rules and guidelines for filtering your email inbox. The first rule might be to never send an email or a response that commits long-term contracts on your behalf. Another rule could be never misrepresenting oneself for personal gain.

The process is a high level map of how a person will manage your email. It will outline how to take one email as an example and how to filter it for viewing, for deleting or for response.

Finally, the procedure will document the exact steps to take to filter emails. You’ll include exactly what you want to have happen for specific types of emails.

Setting up these systems is a lot of work up front, but it can save you a large amount of time in the long run opening you up to grow your business or to do other more enjoyable things.

In this example, a law firm knew how to gain new customers, but they couldn’t deal with the growth. They brought in a company to help setup policies, processes and procedures and the company thrived. Average monthly-billed fees increased 244% in two years. Total hours worked increased 259% showing how well new team members were able to come on board and operate as the company grew.

As you can see, it’s important to have an understanding of policy, process and procedure.

Once you have this system in place it will be easier to hire the right employees.

 

Conclusion

Businesses have an issue with scale. In order to scale, every business needs to create systems. These systems use the policy, process and procedure method because it works.

Identify a task you currently have in your business. Create a policy or a set of rules and guidelines. Outline the overall process. From there, create the exact steps someone will take to complete the task.

This is how businesses scale and if you want to scale your business it’s time to start creating systems.

Do you need further help creating business systems? Try SweetProcess for FREE. You can document policies, processes and procedures easily and effectively.

 

Differentiating between policies, standards, procedures and technical controls

What are the differences among policies, standards, procedures and technical controls?

Policies

Policies are long-term, high-level management instructions on how the organization is to be run and generally are driven by legal concerns (due diligence). Policies reflect an organization's goals, objectives, culture and are intended for broad audiences. They also are mandatory and are applicable to anyone -- employee, contractor, temporary, etc. Special approval if the policy is not to be followed (an exception) should be documented. (Yes, a policy for exceptions is necessary!). Policies drive standards, procedures and technical controls. Example: Passwords will be used.

Standards

Standards define the process or rules to be used to support the policy such as system-design models or specific software or methodologies. Standards can be directed to a broad audience or limited to specific groups or individuals (i.e., software developers), are of limited duration and reflect organizational change or environmental changes. Like policies, standards are mandatory and require special approval if the standard is not to be followed. Example: Passwords will be constructed of 6-8 alpha-numeric characters.

Procedures

Procedures are specific instructions (ordered tasks) for performing some function or action. Procedures are of a somewhat short duration, are mandatory and they reflect organizational change or environmental changes. Example: To change your password, type your old password, then a front slash and then your new password.

Technical controls

Technical controls are mechanisms used to regulate the operations to meet policy requirements (countermeasures). Technical controls can be volitile particularly in the distributed environment

when hackers are gracious enough to find holes in technology and point them out to the user community!

Policy vs. Procedure: A Guideline

I. BACKGROUND.A campus-wide effort is underway to recast and revitalize the Campus Administrative Manual (CAM) into a more coherent set of chaptered policy statements organized around the several operational divisions of the University.

This guideline, "Policy vs. Procedures" has been developed as an aid to those involved in drafting and reviewing proposed policy statements for inclusion in the new publication known as "Campus Administrative Policies" (CAP). The emphasis in the CAP is on policy, not procedures.

II. DEFINITIONS.Policy: The formal guidance needed to coordinate and execute activity throughout the institution. When effectively deployed, policy statements help focus attention and resources on high priority issues - aligning and merging efforts to achieve the institutional vision. Policy provides the operational framework within which the institution functions.Procedures: The operational processes required to implement institutional policy. Operating practices can be formal or informal, specific to a department or applicable across the entire institution. If policy is "what" the institution does operationally, then its procedures are "how" it intends to carry out those operating policy expressions.III. DISTINGUISHING CHARACTERISTICS.The distinctions commonly drawn between policy and procedures can be subtle, depending upon the nature of the organization and the level of operations being described in the statements. Nevertheless, there are common characteristics that can help discern policy from procedures (or the practices used to implement policy). They are:

POLICY PROCEDUREWidespread application Narrow applicationChanges less frequently Prone to changeUsually expressed in broad terms Often stated in detail

Statements of "what" and/or "why" Statements of "how," "when" and/or sometimes "who"

Answers major operational issue(s) Statements of "how," "when" and/or sometimes "who"

IV. TYPICAL EXAMPLES.Here are some examples out of CAM to help underscore the distinctions between policy and procedure:

CAM 640 Student Financial Aid :  The Financial Aid Office is responsible for the administration and resource coordination of the university's student financial aid program which covers all scholarships, loans, grants, fellowships, assistantships, student stipends, and work-study. A standard application called the Student Aid Application for California is required for most of the financial aid programs. There is also an established filing period for priority consideration. This period is January 1 through March 1.

Comment: The first sentence represents a clear statement of policy that the FAO has certain responsibilities. The second sentence relates more to procedures. The third and fourth sentences might be either policy or procedure depending upon the level of detail needed to fully state the policy.CAM 341.2 Support Staff Employees :  Evaluations for a majority of support staff employees are conducted after completion of three, six, nine and twelve months of service during the probationary period. Once permanency is achieved -- usually at the end of one year of probation -- performance evaluations are completed annually by the supervisor. For administrative/professional employees in some collective bargaining units, performance evaluations are completed after six, twelve, eighteen, and twenty-four months of service, and annually thereafter. (See Support Staff Employee Performance Evaluations Forms 138 and 139, available in the Personnel Office.)The supervisor will use one of the Support Staff Employee Performance Evaluation Forms to evaluate support staff employees.

Comment: The first paragraph is policy. The follow-on parenthesis to that paragraph and the second one-sentence paragraph are more procedure than policy.CAM 541.4 Policy for Receipting Gifts: The procedures for receipting gifts are contained in the Fund Raising and Public Affairs Policy and Guidelines. Generally all gifts will be centrally receipted by the University Development Services Office.Comment: The section title indicates a policy statement is to follow. But the first sentence is merely a reference to another document on procedures. The second sentence is a policy statement.

Understanding Policies, Standards, Guidelines, and Procedures

A plethora of documentation exists in the operation of any organization. Management uses this documentation to specify operating and control details. Consistency would be impossible without putting this information into writing.

Organizations typically have four types of documents in place:

Policies These are high-level documents signed by a person of significant authority (such as a corporate officer, president, or vice president). The policy is a simple document stating that a particular high-level control objective is important to the organization's success. Policies may be only one page in length. Policies require mandatory compliance.

The highest level of people in charge is the officers of upper management. Chief executives, financial officers, and operating officers are the principal issuers of policies.Standards These are mid-level documents to ensure uniform application of a policy. After a standard is approved by management, compliance is mandatory. All standards are used as reference points to ensure organizational compliance. Testing and audits compare a subject to the standard, with the intention of certifying a minimum level of uniform compliance. Public standards include the International Organization for Standardization (ISO), Sarbanes-Oxley, and most government laws.Guidelines These are intended to provide advice pertaining to how organizational objectives might be obtained in the absence of a standard. The purpose is to provide information that would aid in making decisions about intended goals (should do), beneficial alternatives (could do), and actions that would not create problems (won't hurt). Guidelines are often discretionary.

Procedures These are "cookbook" recipes for accomplishing specific tasks necessary to meet a standard. Details are written in step-by-step format from the very beginning to the end. Good procedures include common troubleshooting steps in case the user encounters a known problem. Compliance with established procedures is mandatory to ensure consistency and accuracy. On occasion a procedure may be deemed ineffective. The correct process is to update the ineffective procedure by using the change control process described later. The purpose of a procedure is to maintain control over the outcome.

Figure 1 illustrates the hierarchy of a policy, standard, guideline, and procedure.

 

Figure 1: The relationship between a policy, standard, guideline, and procedure

Difference between Guideline, Procedure, Standard and PolicyJun 11, 2014

44,709 views 134 Likes

16   Comments

Share on LinkedIn Share on Facebook Share on Twitter

We come across these terms quite often and we find lot many people using them in a wrong

way. Guideline is simply to give an overview of how to perform a task. Procedure tells us step by

step what to do while standard is the lowest level control that can not be changed. Policy is a

high level statement uniform across organization. Let’s explore these terms individually and

develop a better understanding:

★ Guideline

A piece of advice on how to act in a given situation

Recommended but Non Mandatory Control

Example: Employment Discrimination Guidelines, Screening Guideline

Extras: ‘Guide’ + ’Lines’ meaning Instructions for guiding purposes only

★ Procedure

A series of detailed steps to accomplish an end

Step by step instructions for implementation

Example: Standard Operating Procedures (SOP’s), A Medical Procedure

Extras: derived from ‘Process’; it’s an established way of doing something

★ Standard

Acceptable level of quality or attainment

Quantifiable Low Level Mandatory Controls

Example: Standard of Living, Standard Size

Extras: ‘Yardstick’; we don’t make or write standards, we follow them

★ Policy

Recommended High Level Statement protecting information across business

Business rules for fair and consistent staff treatment and ensure compliance

Example: Dress Code Policy, Sick Leave Policy, Email and Internet Policy

Extras: ‘Police’; ensure discipline and compliance