You are here:  Home > Policies and Procedures Last updated on 24 Jun 2017 by AllIncontext Limited   

Policies and Procedures

Created on 01 Jun 2017 by AllIncontext Limited.

The General Data Protection Regulation (GDPR) of the European Union (EU) comes into force on the 25 May 2018. A Company, either based in the EU or doing business in the EU, might need to comply with the GDPR (for example if a business already complies with the Data Protection Act [DPA]), and if this is the case, will need, amongst other things, a set of Documentation including Policies and Procedures. A good introduction is available from the UK's Information Commissioner's Office (ICO) at this link (HTTPS Direct) and this includes the 12 Steps to take now PDF (HTTPS Direct).

This Page contains the following Sections:
  • Sets of Policies and Procedures.
  • Framework underpinning each Set of Policies and Procedures.
  • Example of the SANS Clean Desk Policy.
  • Example Clean Desk Policy.
  • Example Clean Desk SOP.
These Sections are a distillation of work and experience gained in a UK Government funded Research Laboratory, and a UK International Business, over a 20 year period. Of course, terminology and what constitutes best practice changes over time, but the essence remains the same.

Sets of Policies and Procedures

There are two typical sets of Policies and Procedures in a Business:
  • The First set relates to a Quality Management System (QMS), exemplified by ISO 9001:2015 (HTTPS Direct) which allows a Business to create a Quality Manual for what it produces and how it interacts with Customers, Suppliers and Mandatory Bodies covering Laws, Standards and Compliance (Outward looking). If a Business has this set (which it might not), it will probably have a Quality Manager and, possibly, a small team supporting the Manager.
  • The Second set relate to what a Business does Internally, such as Business Strategy and Goal Delivery, or Day-to-Day Operational procedures. An example of the latter is a Clean Desk Policy. A Business will probably have more people involved with this Second set than the First set.
If you want an overview of the ISO Quality Manual, see this PDF (HTTP Direct, not Secure) link to the Quality Works (HTTP Direct, not Secure) Document. Note that the PDF link, as of Jun 2017, is for the Seventh Edition and refers to ISO 9001:2008, which has been superceeded by ISO 9001:2015 (see the ISO link above). In the PDF, the author Mark Kaganov, points out that what many people refer to as the ISO Four Level structure is actually a Five Level structure, because the Top Level is a Policy.

Framework underpinning Each of the Two Sets

Each of the Sets has a framework which acts as a Top Level, and is what you would put as the Bullet Points on a Slide in a Presentation to anchor what would follow in the rest of the Presentation.
  • First set: ISO, page 29 of 90 of the above PDF:

    • Level 1 - Quality Policy.
    • Level 2 - Quality Manual.
    • Level 3 - Procedures.
    • Level 4 - Instructions.
    • Level 5 - Records.
    For more detail, see the PDF.
  • Second set: Can be based on Rudyard Kipling's poem Six Honest Serving Men (HTTP Direct, not Secure) and are divided into two groups representing Strategy and Tactics:

    • Strategy: Why (Purpose), What (Goal) and Where (Authority).
    • Tactics: Who (People), How (Method) and When (Time).
    The Strategy Level is covered by Policy (Why, What and Where). The Tactical Level is covered by Procedure (Who, How and When). Policy dictates Business, or Organisation, Mission, Aims and Goals. Procedure dictates Delivering on the Policies.
The Second set can, and perhaps should, be part of the First set, but usually if a Business has more than one Operating Unit (OU), each has its own Second set of Policies and Procedures but probably doesn't have its own First set. In the PDF above, this point is covered in Chapter 5, page 79 of 90, under the Title Manual Reference Matrix. So, the ISO Quality Manual allows for Second sets of Policies and Procedures Documents.

In the PDF on page 30 of 90, the Author is of the opinion that Standard Operating Procedures (SOPs) should just be called Procedures. However, in the opinion of AllIncontext Limited, this is incorrect. SOP is a useful acronym (HTTPS Direct) and Procedures for Operational requirements usually follow an internal Standard (which might cover Format, Layout or specific Requirements), so a Standard Operating Procedure (SOP) is pertinent to day-to-day Business Operations. However, the choice is yours.

Example of the SANS Clean Desk Policy

This Policy, under the Second Set Framework is both a Policy and an SOP. Although you can find many sources of Templates on Policies, and Procedures, we will focus on the SysAdmin, Network and Security (SANS) Institute Information Security Policy Templates at this link (HTTPS Direct) which can be used at no cost. The Clean Desk Policy is under the General Templates at this link (HTTPS Direct) and is available as a PDF or a DOC File.

The SANS Clean Desk Policy is relatively short, which is good, but the Policy Section has as its focus: Who (People), How (Method) and When (Timeline). So this Section is actually an SOP. The Second Set implies that Policies are likely to vary slowly over Time, but SOPs might be updated regularly. Whoever owns the Policy is unlikely to want to update it when changes occur in the related SOP which is probably owned by someone else.

If a change in the Business leads to Shared Desks:
  • The Owner of the Policy doesn't need to make any changes.
  • The Owner of the Clean Desk SOP needs to make the relevant changes.
This is because a change to Shared Desks affects Who, How and When (SOP), rather than the Why, What and Where (Policy). It is possible that a Business might have different SOPs applicable to individual OUs, but they all adhere to the same Policy. This approach keeps things simple because People operate against Procedures (which can contain Deliverables), not Policies.

Example Clean Desk Policy

This SANS Clean Desk PDF (HTTPS Direct) is an example of a Free-to-use Policy that has a good structure. However, as stated in the Second Set, Section 4 in the above PDF can be extracted into a Clean Desk SOP. So that Section of the SANS Policy becomes:

4. Policy
The Policy is implemented in the Clean Desk SOP.

Notice that the above lends itself to implementation as HTML Files which can be referenced by Internet Shortcuts or Hypertext Links in any other Document.

Example Clean Desk SOP

Created on 10 Jun 2017 by AllIncontext Limited.
Last updated on 10 Jun 2017 by AllIncontext Limited.
Owner is A. N. Other of AllIncontext Limited.
Next Review Date must be no later than 10 Sep 2017.

Note: What follows is an excerpt from the Free-to-use SANS Clean Desk Policy PDF in order to show the Structure of the SOP. The excerpt is done under fair use of Copyright and quotes the original for the purpose of critical analysis by the reader.

Background

AllIncontext Limited accepts the Principle that Data is a Toxic Asset and therefore that Data must be managed. Part of this Management Process is a Policy on Clean Desks and its implementation through this Clean Desk Standard Operating Procedure (SOP).

Objective

To deliver Clean Desks in AllIncontext Limited subject to the Sections and Controls in the Policy. The occupant of Each Desk will comply with the following:

Start Quote of words from the SANS PDF.
  1. Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
  2. Computer workstations must be locked when workspace is unoccupied.
  3. Computer workstations must be shut completely down at the end of the work day.
  4. Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
  5. File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
  6. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
  7. Laptops must be either locked with a locking cable or locked away in a drawer.
  8. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
  9. Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
  10. Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
  11. Whiteboards containing Restricted and/or Sensitive information should be erased.
  12. Lock away portable computing devices such as laptops and tablets.
  13. Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer
  14. All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
End Quote of words from the SANS PDF.

This SOP will be reviewed, from time to time, according to any specifications in the Constraints, Assumptions and Reporting Sections of this SOP.

Scope

All Desks under the Control of AllIncontext Limited.

Constraints

None.

Assumptions

That infringement of this SOP will result in a Disciplinary proceeding, the outcome of which might be a Monetary Fine, or Dismissal from the Company, depending on the Severity of the Infringement. Please see the Policy or contact the Owner of this SOP.

Reporting

The Owner responsible for this SOP will report to the Steering Group Responsibile for the Clean Desk Policy according to their published Schedule. In addition, Spot Checks will be done by the Owner's Team on a regular basis.

AllIncontext Limited is registered in England, No 04624520. Registered office address: 12-14 High Street, Petersfield, Hampshire, GU32 3JG.

Valid XHTML 1.0 Strict   Valid CSS!