Governance Part 4: Standards

We’ve covered how management uses policies to govern an undertaking, whether that’s a business, a household, or one’s career. Today we’ll continue the Governance series with a look at standards and how they bridge the gap between executive ideals and technical practicality.

The relationship between a policy and a standard is similar to the relationship between a vision and a mission: Policies rarely translate directly into specific instructionsStandards are management’s requirements for conducting business in a way that complies with policy. Being high level documents, policies rarely translate directly into specific instructions on how to perform specific tasks. This is as it should be. After all, policy statements come from executive management. Do you want to have to get the Mayor of your city to sign off every time you try a different light bulb, or do you want to be able to just swap light bulbs as long as they fit in the socket and won’t short-circuit your house?

A standard bridges that gap. A well written policy will specify whose role has the responsibility of setting and updating the standard. That’ll generally be someone in middle management who either has the technical expertise to set the standard, or has those people reporting to them. Frequently, that’s a simple task for the middle manager, as they can point to an industry standard and say, “Our standard is to meet that standard. As a result, you don’t have to rewire your lamps every time you move from one city to another. It’s also why you need a special adapter when you go to Europe.

There are many technical standards, but they are not the only standards. There are ethical standards, moral standards, and professional standards. They are as important as the technical ones, and much harder to define and implement, as world history shows.

When I audit governance processes, standards are part of what I look at. Standards are not only for technologyThere are several things an auditor checks to see, so it makes sense for you to check as well. Are the standards complete, meaning does every policy have a standard that supports it? Do the standards correctly reflect the policies they support? Are they consistent with one another, and if not has management indicated which prevails? Leaving that decision to middle management is a Bad Thing.

I hope this has been a helpful explanation of standards, why they’re important, and what makes them good. What standards do you have in your life or business? Do they ever come into conflict with one another? If so, how do you resolve them?

*** This is a Security Bloggers Network syndicated blog from Defense Rests authored by Dan Holzman-Tweed. Read the original post at: