editione1.0.0
Updated October 9, 2023To recap: our policy defines our security principles, and our standards define the requirements we need to align with those principles.
That brings us to procedures and playbooks, which turn the standards into action. They give our team the tools and instructions they need to meet the security expectations placed on them through our policy suite in a way that can be measured, repeated, and iterated on as our business evolves.
important Procedures and playbooks are living and evolving operational documents that should be collaborated on across your team. They exist to teach teams how to carry out their responsibilities, to reduce the chance of key person risk, and to ensure that whenever these important tasks are carried out, that they are done consistently.
What’s the difference between a procedure and a playbook?
Definition A procedure is a singular action or set of steps that define how you consistently complete a task. For example, you may have a procedure for how to refill the coffee machine in your office.
Definition A playbook is a set of actions or steps you would follow to navigate a more complex scenario. They will often include multiple decision points and paths that are based on the context.
When deciding whether you can define a simple procedure or need a more comprehensive playbook, start with the following three questions:
Is the action we need to take singular or simple to define?
Does it have different pathways or variations depending on some form of context?
Does this action fit in with other, non security actions or processes?
Once you decide what you need, take a set of requirements defined by a standard, and turn them into easy-to-understand, repeatable steps that can be completed by someone on your team.
Let’s go back to our example standard and pick out one of the actions that we created to support our policy.
exampleAll staff must read and acknowledge they agree with these responsibilities before they are assigned any access to data or systems.
Using our guide above, we should be able to determine that it’s a procedure we need to develop rather than a playbook, since:
Our requirement here is short and concise.
There are very few variations on how it will happen or how it applies to different situations.
In this case, our procedure is to ensure that all new hires read and accept the “Acceptable Use” guidelines we have developed.
The easiest way to implement this is to add this to our “New Hire Onboarding Checklist” as per the example below. As there are many different things a new employee is expected to do in their first few days, this will fit with the existing processes without causing disruption or breaking the cultural flow of the new team member’s first week.
exampleNew Hire Onboarding Checklist
Hello and welcome to the team! We are very excited to have you join us.
Week 1
Reading: Read up on our values. Our values are important to us—they help us understand how to work together, inform the tone and voice we use in our communications, and allow us to know how to respond to our customers or the community.
Paperwork: Read our acceptable use guidelines and complete this form. Everyone here has a responsibility for security. This short set of guidelines will help you to understand what is expected of you and how to make security part of your new role.
Now let’s take a look at a potential playbook scenario from the same security standard:
exampleACME Limited must ensure that all people working for the organization are screened to minimize risks to the security of the organization’s information and systems, including verifying their:
Identity and right to work
References and qualifications
Record with the Ministry of Justice
The recruitment process for roles that are expected to have access to sensitive information or to have financial responsibilities should include additional pre-employment checks appropriate to the risk level of the role.
This time the requirement is more complicated and includes a number of different configurations or pathways depending on the role and location of the new employee.
Employees working remotely or in subsidiaries may require different background checks.
Roles handling sensitive information or financial transactions may require credit checks or additional character references.
Temporary employees may need a cut down set of checks proportional to their intended period of employment.
In this case, a playbook is needed. This playbook will walk through step-by-step instructions for each of these scenarios and make it easy for the hiring manager to decide which checks are needed and action them.
As you can see, whether it’s as a procedure or a playbook, our policy principles are defined in our standards and implemented in our procedures and playbooks. They are a linked hierarchy of documents that outline our security expectations as a company and give our team the tools and instructions they need to meet them (and if you do it well, there isn’t a bit of legalese in sight).
All of this may seem overwhelming and like a huge commitment of time and resources. As a result, many people turn to their handy local search engine and type “Information Security Policy Templates” in the helpful little box. Often you will find dozens of collections of policy templates, often referred to as “policy suites.”
I get it; we have all been there. You never want to solve a problem that has already been solved, and why invest this time and effort if you can simply buy, download, and customize a policy suite.