There is no more exciting moment in the process of writing policies than when you call a meeting of various business representatives to approve a new policy and the meeting becomes mired down in an argument over the meaning of the word "should". Just as exciting is reading a policy that is intended to state clear corporate requirements, where every provision seems to contain the verb "may".
The reality is that far too many policy writers (including, at times, this author) confuse the use of auxiliary verbs. This leads to a significant potential for confusion, since employees will be unable to readily determine if the provision is mandatory (something they "must" do) or a guideline (something they "may" do). I have even seen internal policy guides that specify which auxiliary verbs must be used for certain documents.
The one auxiliary verb that gives me the most problems is "shall" or "should". Far too many people instinctively treat "shall" as meaning the same as "may". Hence, the policy statement, "Passwords shall contain six alphanumeric characters", is interpreted by many employees as a guideline for good password construction, not as a mandatory minimal requirement. However, the American Heritage Dictionary defines "shall" as "an order, a promise, a requirement, or an obligation" and "should" is "used to express obligation or duty." My suggestion, avoid using "shall" and "should" in policies so that you minimize the chance for misinterpretations.
The other source of confusion is the failure to clearly delineate the difference between a policy and a guideline. Policies must clearly set out the rules and requirements. There should be no ambiguities in policies nor should the wording provide employees with loop holes to avoid a clear requirement. If the policy is that all passwords must be at least six characters in length, then the language should lead the reader to the conclusion that five character passwords are unacceptable. Guidelines, on the other hand, provide best practices or methods to achieve compliance. They are not the only means of compliance. A guideline might provide several examples of good six character passwords. The critical distinction with a policy is that while a guideline describes several methods for compliance, they are not the only methods. Put another way, you can not treat a guideline as a policy, since a guideline implies that there are other methods for achieving compliance than those described in the guideline.
But try telling that to an overly aggressive and inexperienced auditor who reviews your procedures and faults you with not complying with a guideline. For this reason, it is advisable to preface your guidelines with a statement that they are recommendations, not the sole mandatory requirements for compliance. Also, make sure you rely on auxiliary verbs like "may" in guidelines and avoid the use of "must" or "shall".
The next section addresses the Monitoring phase of the Framework.
©2009 ISRMC, LLC