This document is prepared and presented as a basic overview of contemporary best practices regarding written documentation — primarily security policy – needed within an effective security program. It is generic in that it is developed without a specific application or facility in mind. As such, all or parts of this information may not be appropriate for every building or facility. The intent is to provide fundamental information for non-technical and non-security readers.
Security documentation is the written material used to govern all aspects of a security program. Such documentation would include, at minimum, the following;
• Emergency Plans
• Training Material
• Informational Material
It can be said that there are – in essence – only 3 reasons for performance failure in an organization’s security program;
(1) The is NO policy and procedure addressing the issue;
(2) There is a policy and procedure addressing the issue, but it was not followed;
(3) The policy and procedure addressing the issue was followed, but the contents were inadequate to properly address the circumstances of the particular situation.
In the triad of architectural, technological and operational security, the policies and procedures are the foundation of the later and are easily the most overlooked and most important aspect of a comprehensive and effective security program.
An organization’s policies and procedures are dynamic in that they must be continuously updated and constantly refined. Perhaps no other single aspect of an entity more clearly reflects its culture and philosophy than the body of written policies and procedures by which it governs.
STARTING AT THE TOP
Easily, the most common obstacle in any attempt to develop security policies and procedures is the failure to have the full support of top management. At the very least, the direct approval of the top position is necessary. Ideally, the policies and procedures should be reviewed and approved by the governing body – such as the Board of Directors – or a committee thereof. This support from the top of the organization must also be clearly reflected in the document itself.
Additionally, management must support the effort through “example”. This means that the policies and procedures must apply to everyone, regardless of their position within the organization. If exceptions are to be allowed, the exceptions should be stipulated in the policy and procedure document.
If a “perfect” policy and procedure document could ever exist, even it would be of no value if the person’s subject to its contents and responsible for its implementation and enforcement are not aware of the details. Traditionally, binders of printed documents were reproduced and widely distributed so as to be accessible to the workforce. Today, fewer printed copies are prepared and there is a greater reliance on electronic media. A best practice is for the security department to have its own website on the organization’s intranet. Among the many benefits of this is the ability to make the security policies and procedures readily available for reviewing and downloading, ideally in the Adobe.PDF format.
The essential contents of the policies and procedures should also be presented during employee orientations and included in an employee handbook.
Typical security documentation can be described as follows:
POLICY: The organizations stated security objectives and the requirements in general terms. Policy also establishes departmental responsibilities and cooperative interaction where issues may overlap. Most importantly, it conveys authority. Policies address specific issues, however, the statements are usually very broad and without detail.
STANDARDS: Standards establish minimum performance parameters. These are statements that are usually “actionable”, “measurable” and/or “observable”. Standards are more detailed that Policies, and can often be the same as or similar to technical specifications.
GUIDELINES: Policies and standards require writing in a very precise and special way that avoids misunderstanding. Because it is not a narrative style that most people are accustomed to reading, some helpful explanatory notes can aid in comprehension. Guidelines serve this purpose but are not “requirements” in themselves.
PROCEDURES: Procedures are directed at persons responsible for taking action under the various circumstances and conditions, or in response to certain events. These are very specific and step-by-step to the extent practical and reasonable. Where Policies and Standards may apply on an enterprise-wide basis, there will always be a large portion of the Procedures that must be specific to each individual location or facility.
EMERGENCY PLANS: Generally, a given facility will have need for several emergency plans, each addressing specific events. Emergency plans are constructed – in part – so that they may be referenced in real time during an event. The most common emergency plans are in response to such things as a fire or bomb threat. Additional plans may be needed for other events such as an attack or when the threat of attack is elevated. Procedures within Emergency Plans tell people “where” they will go and “what” they will do when the get there.
A key aspect to a good manual is that it is relatively easy for any user to find the information they are seeking. Because a policy and procedure document is continuously revised, a conventional, single document with sequential page numbering would be less than optimal. Additionally, it is desirable to numerate the contents other than through the employment of page numbers, since these tend to change during revision. It is also very desirable to facilitate later reference to individual “provisions” within the document, similar to the manner in which government laws are numerated. An example structure might be something similar to the following:
1 = Chapter
1.01 = Subchapter
1.01.01 = Section
1.01.01.01 = Subsection
It is advisable to create a standard format or template for the pages in order to facilitate the replacement of pages with revisions, and for readability. The template should incorporate a place for the title of the chapter and a place the date of the most recent revision. The document should contain a Table of Contents and a word index is a great enhancement.
Typically, an organization would have a general or master body of policies and procedures that are universally applicable across the entire global enterprise. Entities with multiple facilities will likely need to reserve certain subjects for further individualization for various locations such as different cities, states or countries in order to accommodate variations in applicable laws.
Additional policies and procedures will usually be needed based upon the specific nature of the organization, such as the business or industry in which it falls. Government regulatory compliance can be a major element of the document in some operations.
Where the policy manual is separate from the procedure manual – as is generally recommended – the relative procedures should reference the corresponding policy.
There are a myriad of subjects that might be addressed in a comprehensive set of security policies and procedures. Many of the common subjects will overlap with areas commonly addressed by the Human Resources department, and sometimes with other units as well. It is strongly recommended that legal counsel review and approve all policies prior to dissemination.
Typically, policy is written in a narrative and semi-general format and the only “rule” is that the message be clear and unambiguous. Each policy would generally state the organization’s position on the subject, and most importantly, it should delegate the necessary authority and responsibility for developing the corresponding procedures for execution and enforcement.
Procedures are typically written in a “step-by-step” format. As a guide, security procedures for security officers should be developed with a new guard on his or her first day on the job in mind.
If policies are important, than adherence to policy must be equally important. The policy MUST set forth appropriate consequences for violations of any policy, in the form of disciplinary action. Failure to consistently enforce policies might tend to negatively impact the legal enforceability of all policies. Where an organization lacks the collective will to act to enforce a policy, that policy should be changed or abolished. No policy should ever continue to exist for which enforcement action is not instituted consistently.
No policy and procedure manual can be completely written in advance that will be applicable to any organization without customization and modification. The following is a list of basic subject areas – not in any specific order – that should be considered for inclusion in a security policy and procedure manual;
1.0 Statement from Executive Management
2.0 Security Department Mission, Purpose and Objectives
3.0 Security Department – General
3.1. Organizational Structure
3.2. Policy Enforcement
3.5. Background Investigations
3.6. Use of Force
4.0 Security Department – Management
4.3. Liaison with Government Agencies
4.4. Periodic Departmental Reports
4.5. Security Awareness Training of Non-Security Personnel
4.7. Staff Performance Appraisals
5.0 Security Department – Staffing
5.5. Post Orders
6.0 Security Department – Duties and Responsibilities
6.1. Policy Enforcement
6.3. Response to Criminal Acts
6.4. Suspicious Persons
6.5. Emergency Conditions
7.0 Information Protection
7.1. Document Storage for Business Continuity
7.2. Document Destruction
7.3. “Clean Desk” Program
7.4. Trash Removal
8.0 Lost and Found
9.0 Courtesy Escorts
10.0 Cash Handling
11.0 Parking and Traffic Control
11.1. Vehicle Registration
11.3. Vehicle Removal
12.0 Security Responsibilities of All Employees
12.1. Reporting Incidents & Suspicious Situations
12.2. Cooperation in Investigations
12.3. Privacy and Consent to Search
12.4. Contacts by Governmental Agencies
12.5. Contacts by the Media
12.6. Cooperation during Emergencies
12.7. Protection of Assets
12.8. Prohibited Items
12.9. False Reporting Prohibited
13.0 Lock and Key Control
14.0 Material Passes
15.0 I.D. Credentials
15.3. Vendors / Contractors
16.0 Workplace Violence
18.0 Medical Emergencies
19.0 Fire and Life Safety
19.1. Systems Inspection & Testing
19.2. Unsafe Conditions
20.0 Audits of the Security Department
21.0 Access Control
22.1. Overt Surveillance
22.2. Covert Surveillance
23.0 Security Screening
23.3. Parcels and Packages
24.0 Emergency Conditions
24.1. Preparation of Emergency Plans
24.2. Incident Command
24.3. Drills and Exercises