Policies, Procedures, and Governance of an Organization

Internal rules: What they are and document types

Consider what an internal rule might be. It could be a verbal rule or other type of informal requirement, including organizational cultural norms. Often, rules should be in writing, and we will focus on written rules, especially three main governance document types.

Why most organizations need written internal rules

Good management principles often suggest that organizations need written governance documents. These written rules also play an important role in managing legal, regulatory, and cybersecurity risks, Sometimes laws or regulations (“external rules”) may require they exist.

External rules, requirements, and resulting legal risks

Organizations should evaluate all applicable legal requirements, what I call “external rules”. External rules come from laws, regulations, contracts, principles of negligence, and more. External rules impose consequences if the organization does not comply, and that requires evaluating legal risks and how to manage them.

  • New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
  • Growing privacy laws and regulations including the Federal Trade Commission (FTC) rules and the California Consumer Privacy Act (CCPA)
  • Cybersecurity regulations for the financial and medical sectors, including New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”) and federal regulations as outlined through the Federal Financial Institutions Examination Council (FFIEC) and HIPAA and HITECH.

Internal rules must align with external rules

Internal rules need to align to external rules, and actual practice needs to align with both. Thus, there are three important areas for organizations to consider:

  • External rules and requirements based upon applicable laws and regulations, contracts, and other legal requirements
  • Internal rules created by the organization and put into writing, such as policies, standards, and procedures, and
  • Practice: What the organization and their employees do.
  • If internal rules do not comply with (or conflict with) external rules
  • If organization practice does not comply with written internal rules.
Three Platforms to Connect — Watch the Gap by John Bandler

The need for cybersecurity and privacy documents

The creation and maintenance of a cybersecurity (information security) policy and a privacy policy should be a priority for most organizations. Here’s why:

  • Cybercrime is a serious threat to every organization and its customers, clients, and employees. Protecting against cybercrime requires good cybersecurity, and good cybersecurity often starts with having good information security governance documentation.
  • Cybersecurity is an area of increasing legal requirements.
  • Incident response planning and data breach notification rules indicate that documentation needs to be in place prior to an incident.
  • Privacy is an increasing area of legal requirements which may require organizations to maintain (and follow) a privacy policy.
  • A proper process of developing and creating these policy documents helps organizations grow, become more efficient, and protect themselves and their customers.
  • Regulated (financial, health, etc.)
  • Within New York State, or another state with “reasonable cybersecurity” requirements (or doing business with customers in those states)
  • Collecting information about customers, clients, patients, donors, or employees
  • Make any claim about their level of cybersecurity
  • Considering applying for cyber insurance
  • Desiring to protect themselves from cyberthreats.
  • Anti-fraud and anti-money laundering practices (in certain sectors)
  • Human resource issues including hiring, firing, workplace conduct, anti-discrimination, and more
  • Organizations in the non-profit sector probably should have policies on whistleblowers, document retention, conflicts of interest, and more. It is good governance, and they may need to answer questions on their annual filings about whether they have these policies or not. Their answers must be accurate, and a truthful “yes” is usually a preferred option.

Introducing the handy ENTER acronym

Organizations should do these things, using the helpful and memorable ENTER acronym:

  • external rules and how they apply to the organization
  • how to best comply with external rules
  • how to protect the organization from legal risks and cybercrime threats
  • how to prioritize compliance requirements
  • the priority for the creation and maintenance of governance documents
  • comply with external rules
  • are clear, consistent, understandable, and helpful
ENTER: Five Steps for Organization Governance Documents by John Bandler
  • “Maybe we can consciously ignore this external rule, because we might not get caught, and even if we do get caught, the penalties might be mild.”
  • “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”


This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice. It also contains my opinion and perspective.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Bandler

John Bandler

Cybersecurity, cybercrime prevention, privacy, law, more. Attorney, consultant, author, speaker, teacher. Find me at JohnBandler.com