FOR AN ORGANIZATION TO ACHIEVE ITS GOALS, business processes must be reliable, affordable, and legal. Reliable policies require clearly defined processes. Most organizations use policies and procedures to tell employees what the business wants to achieve and how to perform tasks to get there. This way, the business can achieve consistent quality in delivering its products and services.

Though policies and procedures need to be reliable, affordable, and legal, policies are not perfect. Even if a policy is inherently perfect, perfect implementation of it would require employees to follow policies and procedures at all times; however, we do not live in a perfect world. Neither policies nor procedures are always perfect, nor do employees always follow them. Anyone who has cashed a check at a bank understands what a basic procedure looks like. A check-cashing procedure includes checking the person’s identification and the account balance. The bank’s policy states that when a teller follows the check-cashing procedure and the account has sufficient funds, the teller may give the cash to the account holder. The teller must follow this procedure to protect the customer and the bank from fraud. Failure to do so can be a substantial breach and can have significant deleterious consequences.

Business processes are highly dependent on timely information. It’s also challenging to find an organization that does not rely on technology, whether it sells hamburgers, cashes checks for people, or is building the next-generation airliner. Processes use technology and information to make business decisions, keep food safe, track inventory, and control manufacturing, among other things. The more complex these technologies become, the more vulnerable they become to disruptions. The more people rely on them in their daily lives, the more vulnerable they become when these technologies do not work.

You can also think of a policy as a business requirement of actions or processes performed by an organization. An example is the requirement that a customer provide a receipt when returning an item to a retail store for a refund. That may be a simple example, but essentially, it places a control on the return process. In the same manner, security policies require placement of controls in processes specific to the information system.

One of the challenges organizations face is the cost of keeping pace with ever-changing technology. This includes the need to update policies at the same time the organization updates technology. Failure to do so can create weaknesses in the system. These weaknesses make business processes and information vulnerable to loss or theft.

Many factors drive the policy requirements of information systems security policies, also called security policies, IS policies, or ISS policies. These requirements include the organization’s size, processes, the types of information the business deals in, and the laws and regulations that may affect the policies. Once an organization creates policies, it will face both technical and human challenges implementing them. The keys to implementing policies are employee acceptance and management enforcement. A policy is worth little or nothing if no one follows it.