Many organizations have been working on compliance for a while. An essential part of this is the implementation of measures and procedures in the organization. Fortunately, compliance is becoming more and more alive in many organizations.
In the field of both information security and privacy compliance, many organizations choose to record certain procedures. What do you do if the power goes out? Or what do you do when you signal an intruder? What if a client calls because he has received a letter with medical information from someone else?
From falsely safe to genuinely safe
To arrive at a solution quickly and in the right way in the event of an emergency, certain procedures are drawn up. It exactly states who has which task and in what order this must be done. Describing these steps gives you guidance and a safe feeling. After all, people know exactly what to do in case of calamities. But it is vital that you do not stop feeling false security. Do your employees know what procedures are in place? And are they also used? Where do you store these so that they are widely accessible to your employees?
After procedures have been described, it is crucial to make them workable. Introducing new procedures is not always easy. Many people are creatures of habit, and the argument ‘but that’s how we’ve always done it’ is often heard. As a result, new procedures end up at the bottom of the desk drawer and lapse into old patterns in the event of an incident. It is therefore essential to introduce employees to new ways of working and repeat this regularly. The power of repetition plays a role in this. In addition, there are other possibilities to keep procedures ‘top of mind’. What resources have you used to bring procedures into the organization? Are there critical figures appointed?
There are various ways in which you can adequately integrate procedures into the working methods of employees. Tests allow you to analyze the reaction of employees in certain critical situations. These results provide insight into the adoption rate of the new procedures. Moreover, expanding process descriptions in tooling can offer a solution. Many organizations have already made steps in process descriptions for certain compliance processes. By expanding these with step-by-step plans, employees can quickly determine which steps they need to go through in these situations.
Take, for example, process description software from Mavim or Sensus. Here you can describe and record processes. By extending this with a compliance tool, you can also link specific information about compliance to these processes. Think, for example, of protocols around data breaches or purchasing a new application. It is also good to link processes not only to procedures and work instructions but also to the responsible persons within the organization. This way, you relate technology to processes and people: the core of managing a future-proof compliance program.
Audittrail is an audit and advisory organisation in the field of security, privacy and GRC. Audittrail supports organisations with setting up awareness programs and offers organisations insight into the awareness level of its employee. Are you interested in how your organisation responds to a phishing email, or do you have questions about this article? Let us know via firstname.lastname@example.org or through + 31 71 747 17 17