HI Brian,
I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all helpful.
Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an
auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document.
I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule that is under the control of the business and supports a business policy, e.g., no smoking.)
An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy.
Then you could have a gabillion standards (requirements for different risk categories of suppliers if that was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy
Looking for some suggestions... We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable. Do any of you address this in your vendor management policy? If so, please share.
Thanks