One of my earliest cases as a private investigator involved a chain of auto repair shops where managers at some shops were suspected of pocketing cash payments from customers. The owner also suspected that some employees were sneaking into some of the shops late at night after the business was closed and were using company facilities, tools, and diagnostic equipment, to work on friend’s cars.
My investigation involved posing as a customer, hidden cameras, targeted surveillance, and some forensic computer analysis. At the conclusion of the investigation I was able to establish that more than one shop manager was routinely pocketing cash payments from customers and in addition to using the shop in the evenings after business hours to repair friend’s vehicles, one manager was running a late night under-the-table car repair business using the company’s facilities and equipment.
One of the suggestions I made to the owner was that he should add some protocols to the company’s security policy about how managers handle cash payments from customers and also include some rules about after hours use of shop facilities and shop equipment. To my surprise, the owner said his company had no security policy. At the time, I was surprised. But since then I have discovered more and more small businesses (even some medium sized-businesses) that have no written security policy. Of those businesses who actually had a written security policy, many had not reviewed or updated their policy in many years.
The importance of every business having a SECURITY POLICY.
Very few businesses in the United States are mandated by law to have a security policy. Establishing a security policy is not likely to solve security problems but it is an important starting point. A well-crafted security policy provides a framework for identifying security risks and outlines how the company plans to protect those assets. It is also an unequivocal announcement from management that the company has a serious commitment to security and is a way for the company to commit to taking steps to secure assets and keep personnel safe and secure.
Often security policies are a mishmash of rules and procedures, guidelines, and maybe some standards, all rolled helter-skelter into one document and called a "Security Policy." There is a difference between policy, guidelines and rules, and procedures, and these distinctions are not just academic.
In brief, policies are overarching principles from management and are meant to establish a tone and influence behavior. Standards are levels of quality or achievement and typically involve industry "Best Practices." Guidelines are statements meant to guide behavior. Rules tell a person what to do or not to do in a specific situation. Procedures are a fixed way of doing something.
Rules and procedures are important parts of a well-crafted security policy, but the policy must come first. Standards flow from the policy and guidelines and rules flow from the standards. This is followed by procedures.
Page 1 of 2 :: First | Last :: Prev | 1 2 | Next