To reduce the potential for compromise, loss or the unauthorized modification of critical or sensitive IT resources or data, procedures should be established to formalize the work flow process and provide the procedural protection determined by the data owner to be appropriate. Such procedures are particularly important for office environments, since a relatively new and powerful processing capability has been placed into the hands of persons who frequently have had little experience or training in IT security matters.
Standard procedures define the authorized actions to be performed in different circumstances and are invaluable for training new employees, to avoid unintentional problems or to recover from these problems if they should occur. They also allow the manager to detect procedural deviations which could signal the need for corrective actions ranging from additional training to disciplinary action. Formal procedures should be developed with these objectives in mind.