“When something really matters, you put it in writing,” said the man who likely never had to experience the tedium of writing governance documentation. Nevertheless, the policies and procedures that provide the foundation for an entity’s governance posture certainly merit such importance and due care. But why all the fuss about documentation? After all, procedures can change before the ink is even dry in some fast-paced environments. And what purpose does the hassle of documenting and maintaining a policy or procedure really serve?
Simply stated, documented policies contemplate management’s strategic direction for all things relevant to control and governance. A well-documented policy establishes the level of intent to which management will extend its…well, its management. The complementing, documented procedures provide the means for execution by organizational staff, while the documented standards further convey the acceptable, and sometimes prescriptive, means to achieve certain control objectives. All of that is a fancy way of saying: “write it down and do it…and when you do it, do it like this.”
So let’s readdress the question of what documentation really accomplishes, particularly if it is prone to collect dust until an auditor pays a visit. The reality is that good documentation creates a culture for precision based execution. It’s not simply putting words on paper…it’s putting words on paper that provide a measure for controlled success. But we can boil that down further by considering the three “Cs” that are the product of well-managed governance documentation:
The truth is…auditors simply adore documentation. For the inexperienced auditor, it may simply be rote acknowledgement (i.e., “check the box”) that the documentation exists. The good auditors will, however, acknowledge that management has thought well enough to develop a framework of intent that may be in line with either industry practices or regulatory standards. The good auditors will then proceed to choke you with your own words if they sense that there is an imbalance between the paper and the implemented process. So, while documentation does indeed “check a box” for your auditors, be sure that the contents of that box have not spoiled. If you can maintain up-to-date documentation, and you can gain reasonable assurance that staff are familiar with the policies and procedures, you are at least positioning yourself to achieve regulatory or industry compliance.
Another truth is…documentation provides the means for consistent execution of control procedures. Ad hoc procedures tend to drive operating risk to unacceptable levels, particularly when precision is required and, perhaps, sensitive data is at stake. Think of this simplistic, albeit relevant, example that relates to security: Let’s say your organization does not have a documented policy and commensurate procedure regarding Emergency Access. If I employ social engineering techniques that use fear as a method to gain system access under the auspices of an emergent situation (i.e., I’m a doctor and the life-safety of a patient is at risk), and the poor help desk technician has not been trained on (nor is able to reference documentation to) the proper procedure to provision system access under those conditions, the result may lead to unauthorized access. Another situation might be the lack of restorative procedures for data that is backed up on either disk or tape…if the technical staff has not documented the process, a critical step might be missed and the restoration process may fail. Consistency is king when considering either procedural or technical control execution. If standards for such controls are not documented, and updated as necessary, there is a greater propensity for inconsistent execution and even control failure.
The final truth is…people should be considered as potential single points of failure. When certain people leave the organization, whether expectedly or unexpectedly, it goes without saying that they will take with them a great deal of knowledge. If at least the critical portion of their working knowledge is not documented, then most assuredly they take with them much more than the organization could possibly stand to lose. I have evaluated many organizations that roll the dice and place deep reliance on a single person without so much as creating even a basic succession plan. While it is not prudent to document the expansive details that comprise all work activity of a specific person, it is certainly less prudent to exclude all forms of documentation. When it comes to control procedures and standards in particular, an ounce of ink is worth a pound of continuity.
Ron Pelletier is a partner with Pondurance, a Certified Business Continuity Professional (CBCP) since August of 2000, and a Security, Continuity and Compliance practitioner since 1997. He is also is a CISSP, CISM, CISA, CEH, and CCFE.