This might not be the optimal forum for this discussion.
You might take a look at how ISO is structured. I only know how it got
setup where I work. We have one of the ISO9000 variants, not computer
security ISO17799 (or
BS7799) and ISO27001. From a computer integrity perspective, ISO9000 is a
joke. It controls the layout and appearance of reports, not the accuracy
of the data there.
There is one manual that heads of departments have. It spells out in
general terms what the company policies are, who may change which ones,
with QC having the responsibility to maintain the manuals. Many policies
are statements of goals, that can be stated on one piece of
paper. Signatures on the bottom by top managers. Some of these are framed
in the reception area.
There are more detailed manuals by department that have the procedures for
implementing the policies, or getting the job done regardless of policies,
and these have more widespread access by people in each dept. Typically
the head of a dept has both the general policy manual and the detailed
manual for that dept.
In my experience, the vast majority of personnel are ignorant of corporate
policies, they just know how to do their job. People learn how to do the
job from post it notes left by prior workers, who in turn learned the job
from a smaller earlier collection of post it notes left by the person
before them. There is a total disconnect bettween the top of the company
and the rank & file. The top of the company does not know what the rank &
file is doing. The rank & file has no idea about policies, strategic
plans, etc.
There is a manual out of HR that all employees receive, called the employee
handbook. We had to sign some paper acknowledging that we had received it
and read it.
Periodically there are amendments & insertions that also come with similar
acknowledgement forms. It is a good job we have those periodic updates,
since it reminds us to figure out where we put that manual, and review it
once in a while.
That was the theory, but with turn over in QC & HR offices, and turnover of
management, a lot of the detail has been abandoned.
Some top managers seem to think that because we have a computer system we
are something special, so computer room included on "tours". Of course
rules that apply to the rank & file (no unattended visitors wandering our
facility) do not apply to the guests of top managers, such as little children.
Over time, we evolved some security rules.
Then we got bought out by another company & the rules changed.
Whatever managers at the owner company ask for, we are to deliver, period.
This includes a lot of stuff that increases overall security risks.
We've just started formally documenting our iSeries security policies and
procedures in order to become compliant with some security standards and
regulations. Management wants to include policies AND detailed
step-by-step procedures in the same document and I maintain that it's
important to keep the policy separate from the procedures.
Granted, when we're all finished, we could cut and paste all the policy
into a separate document so maybe it really doesn't make a difference.
Your comments will be appreciated.
Thanks,
Bryan Burns
iSeries Specialist
midrange.com
