Reading Your Own Security Policies with Fresh Eyes

The document on page 43 is not the program.

Most organizations we audit in Southwest Florida have a policy binder. Many have a shared drive folder. Some have a handbook that was printed, distributed, and filed away. Every one of them, somewhere, has a policy that no longer matches what the organization actually does.

This is not a moral failure. It is the nature of living organizations. Buildings change. Staff turns over. Software gets replaced. Threats evolve. The policy written in 2019 was written for a facility that no longer exists in quite the same form.

The purpose of a policy review is to close the gap between the document and the reality. Nothing more, nothing less.

The categories of policy drift.

A policy drifts in one of four ways. Identifying which kind of drift is happening is the first step in fixing it.

Drift by silence

The policy exists. Nobody has read it in years. New staff are onboarded orally, without reference to the document. The document still says what it always said. The organization has moved on without it.

This is the most common drift we find. The fix is not to rewrite the policy. It is to reintegrate it into onboarding, training, and review.

Drift by accretion

The policy has been edited over the years. Each edit made sense at the time. No one has reread the whole document in its current form. The result is a policy with internal contradictions, orphaned clauses, and references to systems that no longer exist.

The fix here is a full read, often by an outside reviewer, and a consolidation.

Drift by reality

The facility has changed. The wing built in 2023 is not addressed in the emergency plan. The new pickup door is not in the daycare protocol. The policy says “the conference room” but there are now two conference rooms. The staff work around the gaps informally.

The fix is to update the document to match the building.

Drift by practice

Staff has quietly stopped doing what the policy requires. Sometimes for good reasons. Sometimes because the policy was unworkable. Sometimes because nobody enforced it. The document says one thing, the Tuesday afternoon shift does another, and when an incident happens the gap becomes important.

This is the drift with the highest stakes. The fix is either to update the policy to reflect reasonable practice, or to re-enforce the policy. Either way, you cannot leave the gap.

What a policy review actually does.

A policy review is a reading exercise, a comparison exercise, and a conversation exercise. All three matter.

The reading

The first thing we do with a client’s policy set is read it end to end. Not skim. Not sample. Read. Most clients cannot remember when anyone last did this. The reading itself surfaces:

• Internal contradictions (the handbook says one thing, the emergency plan says another)
• References to personnel who no longer exist in the roles named
• References to buildings, wings, or systems that have changed
• Language that was pasted from a template and never adapted
• Sections that assume a piece of technology the organization no longer uses

The comparison

With the policies read, we compare them to what we observe during the walkthrough and staff interviews. The comparison produces the most valuable findings: the specific places where written policy and real practice have diverged.

The conversation

The final piece is sitting with leadership and talking through what we found. Not handing over a report. Reading the findings with them. Hearing their context. Understanding why practice has drifted, and deciding together how to close the gap.

The policies we see most often.

A representative small-to-mid organization in Fort Myers or Naples typically has the following written policies, with varying degrees of current-ness:

• Emergency action plan (fire, severe weather, medical, lockdown)
• Volunteer policy, including background check requirements and conflict of interest
• Child safety policy (for organizations serving children)
• Cash handling procedures
• Visitor and guest management protocol
• Access control policy (keys, codes, fobs, and termination)
• Acceptable use policy for technology and data
• Incident reporting protocol and escalation chain
• Media and communications policy for incidents

Review each of them individually. Then review them together, looking for the places where they should cross-reference each other and do not.

The Hurricane Ian test.

Southwest Florida organizations got an unplanned stress test of their emergency policies in September 2022. Hurricane Ian made landfall as a Category 4 near Cayo Costa on September 28. Lee, Collier, and Charlotte counties were directly in the path.

The post-Ian conversations we had with clients were consistent. Organizations whose emergency policies had been rehearsed, updated, and understood performed well. Organizations whose policies had been filed and not read struggled. Some of those organizations had updated plans in the weeks after the storm. Some of them have not yet.

The lesson is simple. A policy that gets read under pressure for the first time is a policy you are relying on hope to execute. A policy that has been read, rehearsed, and understood is a tool.

The verse is about preparation. Jesus is describing the foolishness of starting something without reviewing the cost of finishing it. A security policy that is not periodically reviewed is a foundation laid and forgotten.

What a policy review produces.

A policy review deliverable is not a rewritten handbook. It is a map of findings. For each policy in the set, we identify:

• Whether it is current, drifting, or materially out of date
• Specific passages that need updating, including proposed replacement language where appropriate
• Cross-references that are missing or broken
• Conflicts with other policies
• Sections that should be added based on our walkthrough observations
• A priority ranking, so the most consequential gaps get addressed first

The output pairs with the physical walkthrough findings. Together they form the full security audit picture.

Where to start, this week.

If you cannot schedule a formal review soon, here is a short exercise you can do yourself:

• Pull your emergency action plan. Read it from the first page to the last. Note every place you paused, reread, or thought "wait, is that still true?"
• Ask three staff or volunteers (separately) to describe, in their own words, what your organization's policy is for a specific scenario: a medical emergency during service, an unauthorized person in the building, a severe weather day. Compare their answers to each other, and to the written policy.
• Check your volunteer roster against your background check records. Every name should have a current check. Every check should match a current role.
• Open your acceptable use policy and your volunteer handbook. Read them side by side. Look for contradictions.
• Write down three questions your policy does not answer. Those are your highest-leverage updates.

Fresh eyes are cheaper than incidents.

Every organization we have worked with across Fort Myers, Cape Coral, Naples, and Port Charlotte has benefited from a serious policy review. Most of them did not know how much they needed one until they were in it. The review is not about fault-finding. It is about alignment: bringing the documents, the practice, and the people into the same reality.

If your policies have not been read end-to-end in a while, we would be glad to be the fresh eyes. The value is in the reading, the conversation, and the plain-English updates that come after. No jargon, no padding, no rewrite for its own sake. Just policies that match your program again.