\u2190 All resources
Policy Design

Policy templates vs custom rules: when to pick which

Templates get you 80% of the way in 15 minutes. Custom rules cover the last 20%, but cost 80% of the effort. Here's how to decide which you need, and when.

Rachel Chen · Head of Policy

7 April 20266 min read

Every PasteWarden customer asks the same question in their first week: 'Should we use the template or should we write our own policy?' The honest answer is almost always both, but not at the same time. Here is how to decide.

What templates do well

Templates get you 80 per cent of the way there in 15 minutes. That's not marketing, it's roughly the actual ratio, based on our customer-onboarding data.

A template like HIPAA Workforce codifies about 240 policy rules derived from the HHS guidance, healthcare-specific CERT advisories, and the incident post-mortems we've seen over the last four years. The template was written by someone who has spent their entire career understanding the regulation. Your first draft, written by your compliance lead between other things, will not match it on coverage.

Templates cover the known-known patterns. They also cover the 'known-unknowns', the patterns that almost every healthcare organisation needs but doesn't think to write down. Things like clipboard rules for NHS smartcard data, because if you treat healthcare organisations in the UK, you need that rule even though you probably won't remember to include it until an incident surfaces it.

Where templates stop working

Templates fail in the last 20 per cent, the part that's specific to your organisation. Examples from real customers:

  • A legal firm with a bespoke matter-management system that uses a non-standard field naming scheme
  • A hospital group using two separate EHRs after a merger, with slightly different patient-identifier formats
  • A financial-services firm with internal product codenames that need to be treated as regulated IP
  • A software company with a custom CI/CD pipeline where the auth tokens have a specific prefix no generic scanner catches

For each of these, the template will miss things. You need custom rules. The question isn't whether, it's when and how.

The 80/20 rule for rolling out policy

What works, in our customer data:

  1. Start with the template unchanged. Deploy to a pilot group, usually 30 to 50 people in the most-regulated department.
  2. Watch the overrides. PasteWarden logs every time a user overrides a block. The override reasons are the single best source of 'what's custom to us'.
  3. After two weeks, review the top ten override reasons. Most will be legitimate workflows the template didn't account for. Those become custom rules (allow lists or modified policies).
  4. After four weeks, expand to the full department.
  5. After six to eight weeks, review again. By now you've seen the shape of your actual policy requirement. Custom rules make sense. Don't write them earlier.

The mistake we see most often is customers writing custom rules before deploying, based on what they think they need. Those rules are usually about 30 per cent right and 70 per cent noise. By deploying the template first and watching the exceptions, you write custom rules based on actual signal.

The 20 per cent that's worth customising

Four categories are almost always worth writing custom rules for:

  • Internal identifiers. Matter numbers, patient IDs, customer codes, internal product names. No template will know yours.
  • Cross-app workflows. 'Allow copy from the CRM to Excel, but only to the Finance network drive, and only for users in the Finance directory group.'
  • Time-bounded exceptions. 'Allow paste to personal email for Sarah J. until Friday because she's working from abroad with VPN issues.' Custom rules with expiry dates.
  • Vendor-specific paths. If you have third-party contractors with access to a specific app, you'll want rules that apply to them alone.

The 60 per cent you shouldn't customise

Don't rewrite what the template does. The specific regex patterns for PHI, the list of credential-like strings, the set of known-bad destination apps, the standard PII identifier recognisers, these are maintained as part of the template and update automatically when the underlying threats or regulations change.

Customers who rewrite these end up with policies that drift out of date. Templates are a subscription, not a starting point.