Is Your Company Security Policy Worse than Worthless?

Physical Security Consultation

* Security Planning & Development * Threat & Vulnerability Assessment * Risk Mitigation Strategies

and more . . .

Independent, Honest & Practical Security Advice Serving Oregon and the Pacific NW Remote service available nationwide

P.I.

Private
Investigator

Comprehensive Nationwide Background Checks

Conducted by a Professional Investigator

SHOW ME THE DETAILS

MISSING PERSONS

Lost touch with a parent, child, friend, spouse, co-worker, or someone else?

We find them all!

Babnick & Associates LLC Private investigators Portland, Oregon

Serving all of Oregon and world-wide service

GET STARTED TODAY!

Private Investigations

Portland, Oregon

Former law enforcement investigator

Serving all of Oregon and world-wide investigations

CONFIDENTIAL & AFFORDABLE RESULTS

FIND OUT MORE
Is Your Company Security Policy Worse than Worthless?

One of my earliest cases as a private investigator involved a chain of auto repair shops where managers at some shops were suspected of pocketing cash payments from customers. The owner also suspected that some employees were sneaking into some of the shops late at night after the business was closed and were using company facilities, tools, and diagnostic equipment, to work on friend’s cars.

My investigation involved posing as a customer, hidden cameras, targeted surveillance, and some forensic computer analysis. At the conclusion of the investigation I was able to establish that more than one shop manager was routinely pocketing cash payments from customers and in addition to using the shop in the evenings after business hours to repair friend’s vehicles, one manager was running a late night under-the-table car repair business using the company’s facilities and equipment.

One of the suggestions I made to the owner was that he should add some protocols to the company’s security policy about how managers handle cash payments from customers and also include some rules about after hours use of shop facilities and shop equipment. To my surprise, the owner said his company had no security policy. At the time, I was surprised. But since then I have discovered more and more small businesses (even some medium sized-businesses) that have no written security policy. Of those businesses who actually had a written security policy, many had not reviewed or updated their policy in many years.

The importance of every business having a security policy.

Very few businesses in the United States are mandated by law to have a security policy. Establishing a security policy is not likely to solve security problems but it is an important starting point. A well-crafted security policy provides a framework for identifying security risks and outlines how the company plans to protect those assets. It is also an unequivocal announcement from management that the company has a serious commitment to security and is a way for the company to commit to taking steps to secure assets and keep personnel safe and secure.

Often security policies are a mishmash of rules and procedures, guidelines, and maybe some standards, all rolled helter-skelter into one document and called a “Security Policy.” There is a difference between policy, guidelines and rules, and procedures, and these distinctions are not just academic.

In brief, policies are overarching principles from management and are meant to establish a tone and influence behavior. Standards are levels of quality or achievement and typically involve industry “Best Practices.” Guidelines are statements meant to guide behavior. Rules tell a person what to do or not to do in a specific situation. Procedures are a fixed way of doing something.

Rules and procedures are important parts of a well-crafted security policy, but the policy must come first. Standards flow from the policy and guidelines and rules flow from the standards. This is followed by procedures.

Effective security policies form the foundation of the company’s entire approach to security and creating a practical and effective policy is not something best done on a whim or by someone who lacks the skills or motivation to do it right. Crafting an effective security policy involves insightful planning and numerous sequentially layered steps. Often it is best to hire someone who has experience in security policy development to tackle the task or at least provide assistance.

Good security policies come in many shapes and sizes but the basis of a well-crafted Physical Security Policy includes:

* ASSET IDENTIFICATION. Identifying the assets that need protecting. In a physical security setting this includes buildings, parking lots & other premises, interior rooms & offices, points of entries, inventory, equipment, and many other things.

* ASSET VULNERABILITY ASSESSMENT.

Effective asset identification should be coupled with an asset vulnerability assessment as not every asset requires the same level of protection.

* ASSET PROTECTION STRATEGIES.

What is the plan to protect specific assets?

* TRAINING.

Who in the company needs security training and what type of training is best?

* EVALUATION and REVIEW.

How will the effectiveness of the security policy be measured? How often will the security policy be reviewed and modified as needed?

Once these elements are articulated and documented in a properly structured Security Policy, then (and only then) should standards, guidelines and rules, and specific procedures be developed that support the overall Security Policy.

The elements in a physical security policy can be expanded depending on the company and business needs. Often, the physical protection of data is also addressed in a Physical Security Policy and the policy is married with an “IT” or data security policy.

Is your company security policy worse than worthless?

If a company does not develop their security policy through a systematic process of asset identification, risk assessment, protection strategies, training of key personnel and provide for an evaluation and review process, the security policy ends up just being a fancy document gathering dust on some manager’s shelf. When that happens, the security policy is worse than worthless.

How can something be worse than worthless? Having a security policy that is a haphazard conglomeration of policy, standards, rules, and procedures that just “evolved” over time or was created by someone who lacked the skill or motivation to get the job done right, creates confusion among personnel. When confusion occurs, personnel are left to fend for themselves. Sometimes they get it right – sometimes they do not. And worse yet, sometimes supervisors try to enforce rules and procedures that are not consistently followed or enforced. This results in low employee morale, Human Resource type complaints, and sometimes even lawsuits.

Businesses can minimize the occurrence of all of these problems by having a skillfully constructed and effective security policy followed by practical security rules and procedures.

George Babnick
George W. Babnick, is a 34 year law enforcement veteran with an extensive background in physical security, criminal and administrative investigations, training, school policing, supervision and management, and criminal forensics. He recently retired as a Captain in the Portland Oregon Police Bureau where he managed the Training, School Police, and Forensic Evidence Divisions. He holds criminal justice degrees from Portland Community College and Portland State University and a law degree from Northwestern California University School of Law, Sacramento California.

Mr. Babnick is a longtime member of the Western Society of Criminology and is the author of articles on security and law enforcement, investigations, supervision and management, and risk management related to these subjects.

As a physical security expert, George Babnick provides private physical security consultations across the United States and consults with clients outside the United States. He specializes in assessing security problems for small and medium businesses as well as select individuals. He offers independent, honest advice and expertise, with the goal of providing all clients with practical and cost-effective security solutions to enhance security and effectively manage business and personal security risks.

Mr. Babnick is also a licensed Private Investigator and conducts investigations for attorneys, businesses, and individuals throughout the State of Oregon.

To learn more about security consultation and investigative services offered, please visit http://babnickandassociates.com

Disclaimer: Nothing in any article on this blog should be construed as legal advice. Persons seeking legal advice should seek the counsel of an attorney licensed in their state.
  • As you stated the lack of a security policy is unfortunately common during a startup or through the beginning years of most companies. What happens is that some companies finally get to a point where something goes wrong and then the situation must be dealt with and then a security policy (and often a haphazard one as you say) gets implemented after the fact. When consulting with businesses I emphasize security from the get go. No business should wait until something goes wrong, that is a huge liability. You are also correct in your assertion that a poorly constructed security policy can be a disaster. A security policy should be from day one and strategically and thoroughly compiled in order to protect your investment. Why put all your hours, days and time into a business that you want to see succeed and fail to protect it in every way possible. I think optimism and trust are overrated when running a company, a little reminder to everyone and proper training can keep things healthy and respectful. This is an informative article, companies be aware, a solid security policy is vital!

  • Antonio Sandra

    Security policy is very important to any company, large scale or small scale. They are strategic way to ensure proper running of business. Companies must set their security policy from the very start to be on the safer side. I will put all this into practices when i setup my own company. Thanks ops for this well-written article.

  • James Oslar

    This got me thinking. I have worked for a company for 12 years and I have no idea if we have a security policy. Guess I’m not alone.