Topic 10 Policies and Procedures in Security Management
Topic 10 Policies and Procedures in Security Management
Topic 10 Policies and Procedures in Security Management
10 Procedures in
Security
Management
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Explain the need for policies and procedures in security
management;
2. Describe the organisational structure for policies and
procedures;
3. Explain the procedure of documenting policies and procedures;
4. Discuss the benefits of and need for compliance to policies and
procedures;
5. Explain the importance of written policy; and
6. Discuss the format and mechanics of policies and procedures.
X INTRODUCTION
Policies and procedures play a strategic role in a company environment in which
employees make decisions. Policies and procedures become the media by which
business processes are documented and published. Through a well-conceived
policy and procedure system, the companyÊs vision becomes an integral part of
company operations. These operations are the day-to-day planning and decision
making which guide the processes of development, security department and its
functions.
TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 153
Policies and procedures (or operating practices) more often than not develop
slowly, informally, in an unstructured fashion over a given period. This could
range from months to years, depending on the nature of the organisation. Of
course, they evolve from the passing on of instructions-word-of-mouth
communication. Sooner or later these policies and procedures are documented in
writing.
(b) Accounting Controls are financial and provide the checks and balances in
the accounting system to:
(i) Prevent errors before transactions (sales, purchases, cash receipts, cash
disbursements, or payroll) are recorded;
(ii) Detect and correct errors in the accounting records; and
(iii) Safeguard the companyÊs assets.
(c) Data Processing Controls may overlap both administrative and accounting
controls or they involve the input, processing, and output of computerised
transactions.
SELF-CHECK 10.1
ACTIVITY 10.1
(a) Every job has constraints surrounding it. Without written policies and
procedures, employees would be on their own to discover these constraints
by trial and error. The organisation would become disorganised and its
TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 157
managers would not have the means to direct and harmonise their staffÊs
activities.
(b) Policies and procedures enable managers and their subordinates to clearly
understand the individual and group responsibilities including the
boundaries within they have to work and the demands upon them.
(c) Policies and procedures set clear boundaries for jobs so that each employee
knows in advance what response he will get from others when making
decisions.
(d) Policies and procedures create a baseline to which subsequent change can
be referred and through which the way things are done is enabled.
(f) Policies and procedures provide individuals the freedom to make decisions
in the execution of their duties within defined boundaries and to help
avoid-control by managers. If people are uncertain about the limits of their
job, they cannot feel free to act.
The benefits and logic of the written policy and procedure should be self-evident;
however, they are worthy of examination in some depth, including such factors
as consistency in performance, reduction of decision-making time, enhancement
of controls, and provision for objective performance evaluation.
Too often, ranking executives will massage policies and procedures to meet
particular circumstances, such as when security discovers an executive involved
in some form of internal theft and the amount stolen is not substantial. The policy
of the company is to terminate all employees caught stealing. The procedure for
terminating such employees, step-by-step, clearly defines the discharge process.
To avoid conflicts over compliance with written procedures, some firms operate
under „guidelines,‰ which lie somewhere between policies and procedures.
Guidelines, by their very name, suggest direction but avoid any hint of absolute
compliance. One would have to stray far afield before being guilty of violating
any of the guidelines-theyÊre just that loose and flexible.
Some organisations combine policy (the what) with their SOP (the how) (Figure
10.3). The following is an example taken from the contents of one firmÊs
procedural manual; following that is the actual statement of policy and
procedure.
TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 161
Note the logical division of security activities/categories and how reasonable the
codifying system is. LetÊs look at section 10.8 to see what the policy statement
says about interrogations. (Remember: this is an example of the combined policy
and procedure.)
10.8.1 Procedures
(a) Individuals being interviewed must be told at the outset that they are not
being forcibly detained and need not choose to submit to questioning.
SELF-CHECK 10.2
1. What are the reasons for which policies and procedures are being
documented?
ACTIVITY 10.2
In our so called civlised society, major employers are deemed desirable targets for
lawsuits, the existence or absence of a written policy could be a significant factor
in the final litigation outcome. If by chance an applicant was denied employment
for some reason other than the fact that he had a criminal arrest and conviction
record and if there were no written policy saying that convictions are not a bar to
employment, an applicant could conceivably set off and successfully pursue a
cause of action based on criminal conviction discrimination. The written policy,
however, would be an important defense in this case.
The security manual, then, is the repository of all written policies and SOPs that
pertain to the security function. The security manual of course contains other
material and information, such as job descriptions for all security classifications,
training materials, reports, and forms used by security personnel. However, the
contents of the manual are constituted mainly by written policies and procedures.
Today, word processing enables procedures and the manual to be more easily
created (and revised) in a timely manner and with relative ease.
Written policies and procedures deserve a special look, a format that sets such
important documents apart from more routine documents. Figure 10.4 is an
example of the format generally used:
TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 165
Legend:
N Each procedure and the contents therein should be codified for easy
reference. In Figure 10.4 the General Security Committee procedure is
Security Procedure 11.01, and bomb threat incidents reported to that
committee are 11.01.2.e.
166 X TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT
O That special look in this case is a vertical line margin with company logo on
the lower left bottom.
Q Each procedure should be dated. The presence of the date could suggest itÊs
time to reassess its viability or could reflect its absolute timeliness.
Post orders are the written procedures for security officers assigned to a specific
location or function. These orders are typically posted on the wall or placed in a
folder for ease of reference. They contain such site and task specific information
that even a stranger to that post should be able to read the orders and, based on
the instructions, perform the security tasks required. The following list is an
example of the kinds of information that may be found in post orders:
The writing format is the heart of a policies and procedures system. It provides a
structure for information collected during the research phase. A logical,
structured format is a basic necessity for any policy or procedure. Cohesiveness is
TOPIC 10 POLICIES AND PROCEDURES IN SECURITY MANAGEMENT W 167
The writing format is the heart of any policy and procedures system. Without a
standard method of writing, policies and procedures tend to be inconsistent,
inaccurate, and inefficient.
For policies and procedures, the structure remains the same, only the content
changes. This writing format enables the reader to understand the main
objectives, ideas, methods, or processes being presented in the first several pages
of a document. Sometimes the reader may not have to read any further. This is a
benefit to the reader because heÊs more inclined to read something that appears
structured and orderly than something that appears unstructured and
disorganised.
SELF-CHECK 10.3
ACTIVITY 10.3
x Policies and procedures are tools for controlling and measuring performance.
x There's a degree of flexibility required when following procedures, and not all
policies require procedures for implementation.
3. If the policy is to terminate employees for theft and the procedure spells out
that process in detail, then every employee caught stealing will
automatically be terminated. True or false? Why?