Homework 04
ghv1293
ISEM547_ITPolicy_V1.pptxHarrisburg University ISEM 547
IT Policy
Objectives
Why Policy?
Policy, Procedures, Guidelines
Writing IT Policy (Best Practices)
IT Policy Management
2
IT Policy
3
What is Policy, Procedures, Guidelines & Standards ?
Policy: are principles, rules, and protocols formulated or adopted by an organization to govern its actions.
The requirements outlined in policies, are used to control and guide important organizational decisions (e.g., managerial, financial, administrative, acquisitions, contractual, programmatic, operational, technical, etc.); within the boundaries set by them
Procedures are specific instructions to be used to implement policy requirements in a specific way; they are enforceable through the policy
Guidelines are general rules, practices, and/or instructions that can be referenced to comply with policy; they are not enforceable but recommended as best practices that should be followed
Standards: refer to something that is considered by an authority or by general consent as a basis of comparison (e.g., industry, protocols, academic, etc.)
The purpose of standards is to outline agreed principles or criteria, so that their users can make reliable assumptions about a particular product, service or practice
Standards are often referenced in policies or can be used to frame a policy
Policies should have a formal lifecycle and change management process
4
Why IT Policy is Important
Primary reasons for IT Policy:
Protecting corporate assets (keeping systems and corporate information safe)
The policy aligns stakeholders and drives desired behaviors, actions, and provides guidance on how to do things
Only written and published policy can be used to prove the company has exercised “Due Diligence” in a court of law
There may be legal or regulatory reasons a policy must be created and published (e.g., HIPAA, FTI1075, Federal Green-Book Standard, etc.)
Enable an organization to manage business risk through defined controls that provide a benchmark for audit and corrective action
Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use and system management will be ad-hoc and inconsistent
5
Features of good policy
Features of good policy usually include the following
Specific- Policy should be specific/definite. If it is uncertain, then the implementation will become difficult.
Clear & Understandable - Policy must be unambiguous. It should avoid use of jargons and connotations. There should be no misunderstandings in following the policy. Unclear policies can lead to indecisiveness and uncertainty in minds of those who look into it for guidance
Uniform- Policy must be uniform enough so that it can be efficiently followed by the subordinates.
Appropriate- Policy should be appropriate to the present organizational strategies and goals and address the intended policy objectives.
Simple- A policy should be simple and easily understood by all in the organization.
Inclusive/Comprehensive- In order to have a wide scope, a policy must be comprehensive.
Flexible- Policy should be flexible in operation/application. This does not imply that a policy should be altered always, but it should be wide in scope so as to ensure that the line managers use them in repetitive/routine scenarios.
Enforceable- Policy should be monitored with established criteria as to how it will be enforced and determine compliance
Doable- ensure that the policy can be successfully implemented and not so restrictive or costly that the mission of the organization is placed at risk.
6
IT Policy
Types of Policy
7
IT Policy Types & Domains?
Policy Types
General Program Policy: sets the strategic directions of the enterprise for global behavior and assigns resources for its implementation( e.g., conflict of interest, codes or standards of conduct, etc.)
Topic Specific Policy: addresses specific issues of concern to the organization (e.g., e-mail, Internet usage, social media, physical security, application development, systems maintenance, BYOD, etc.)
System/Application –Specific Policy: focus is on decisions taken by management protect a particular application or system (e.g., controls for financial management associated with AP, AR, business expenses; employee appraisal system, etc.)
Each ITP is categorized based on its primary subject matter. This categorization is called a domain.
IT Policy Domains
Security
Applications & Software
Architecture/Infrastructure
Services
Project Management
Procurement
IT Finance & Budgeting
8
Creating IT Policies
9
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing IT policy?
What is the problem or issue(s) that you are trying to solve?
Has a risk assessment been completed and validated the extent of the potential risks involved with the problem or issue(s) (e.g., financial, legal, public relations, security vulnerability, etc.) ?
How would a policy assist in remediating or mitigating the problem or issue(s)?
Can the problem or issue(s) be resolved by creating new or changing existing standard operating procedure (SOP), guideline, process, and/or training program?
How will the policy effect/impact your stakeholders?
Will this policy apply to the entire community or a subset?
10
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing IT policy?
Will this policy apply to the entire community or a subset?
Will this policy apply to users of a given product/service, regardless of their affiliation (e.g., O365 users, SAP users, windows machines, etc.)?
Will any costs be involved in implementing this policy?
How will your policy clarify how IS/IT does its business?
Will this policy impact your business partners and/or require contract modifications (e.g., background checks, nondisclosure agreements, security controls, product reference listings, etc.)?
Engage stakeholders and inquire as to what other factors should be evaluated and/or considered when creating this policy?
How would a policy impact customers in accessing and using your business and/or IT services?
11
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing IT policy?
What teams are responsible for the product and/or service area that is impacted by this policy?
Are there multiple teams? How will these teams coordinate the administration of the policy?
Will any costs be involved in implementing this policy?
Is there any other related document that you want to refer to or incorporate in your policy (e.g., procedures, guidelines, Standards, other policies, etc.)?
Who is the policy owner (considered the source of the authority for this policy)?
Who shall review and approve this policy?
Note: The some of above information may appear in your policy, but it will confirm for you whether or not you really need a policy.
12
Creating IT Policy – Getting Started
When developing policy, need to be careful in saying too much or saying too little. The more complex and detailed the policy, the higher degree of maintenance and training required
Policies should be written at a high level and incorporate standards, procedures, and/or guidelines to provide those affected by the policy with methods for implementing and ensuring compliance
When incorporating standards, ensure the standards are reasonable, relevant, flexible, and current
Conduct research for existing policy examples that can be referenced
13
Creating IT Policy – Getting Started
Consult with subject matter experts and stakeholders when drafting the policy (e.g., policy content and understanding impacts)
Do not embed the content of procedures, guidelines, and industry standards in the policy document. Should reference them but keep them as separate documents.
Sometimes, a policy has progressive discipline actions. For example, policy language can list the situation: for the first offense, you will receive sanction 1, for the second offense, you will receive sanction 2, etc. Your policy language should state that the sanctions are enforced and are in the best interest of the service provider and the larger community.
Should be written keeping in mind the features of good policy
14
Creating IT Policy - Draft
Draft the language
Now that you have your information, you are ready to write a draft.
Who will write the draft?
Don't assume that the team's content expert should be the person to write the draft.
Find out who is the most experienced writer on your team (could be the content expert) and ask that person to write the first draft.
The first draft is important because it sets the tone you want to present for the policy.
15
Creating IT Policy – Draft Suggestions
Here are some suggestions to help you write your draft:
Create a brief outline of the topics you want to cover
State clearly what your stakeholders can and cannot do
Explain how to correct an action
Include any terms that might be confusing to the customer and provide definitions
If appropriate, list any special circumstances in which this policy would not apply
If appropriate, include any time constraints (e.g., does this policy apply only at the beginning or end of the a specific business cycle, or only at tax time)?
16
Policy Elements
IT policy document should contain the following sections:
Organization Name & Logo
Policy Title
Policy Number (logical number sequence and categorized by policy domain area)
Date the policy was written
Date policy was last revised
Date the policy will be effective
Policy Statement
Purpose
Scope/Jurisdiction
Objectives
Definitions
Policy Requirements & Controls
References
The organization who is responsible for policy lifecycle management usually facilitate the creation and maintenance of polices and IT Governance Charters
17
Creating IT Policy – Suggestions
Review and get final approval
It's time to send the draft out for review.
Send the draft to the appropriate reviewers and let them know that this is a draft and that their comments are welcomed
If you receive comments that are confusing, unclear, or contradict other's points of view, consider conducting a face to face meeting to review all the comments. That way, you will ensure that everyone has heard all the suggested changes and has agreed on the revised wording.
Where appropriate, incorporate the comments and be sure you indicate these changes.
Circulate the draft again until everyone agrees on the wording
Send the policy to the approver(s) for a final approval
18
Creating IT Policy –Suggestions
Communicate to the Stakeholders
You have final approval for your policy and are ready to make it public
How do you want to promote this policy? What medium and communications channels will be used to promote the policy?
Corporate Home page or IT Intranet site, CIO newsletter, webinars, forums, visits to departments direct mail, and/or campus-wide email?
What is the timing for this policy (immediate, phased, big-bang)?
Depending on the breadth and impact of the policy, you might choose different strategies
Certain corporate and IT polices require reoccurring training certain times during the calendar year or every 2-5 years.
19
Creating IT Policy – Suggestions
Recommended bodies to use reference for IT Policies:
National Institute of Standards and Technology (NIST)
American National Standards Institute (ANSI)
Gartner Inc.
Institute of Electrical and Electronics Engineers (IEEE)
20
IT Security Policy Considerations
Every organization should have a strategy for how it will implement Information Security principles, technologies, and policies
All these require, in some form, a written IT security policy:
PCI Data Security Standard (DSS)
Health Insurance Portability and Accountability Act (HIPAA)
HITECH Act
Sarbanes-Oxley Act (SOX)
ISO family of security standards
Graham-Leach-Bliley Act (GLBA)
21
IT Security Policy Considerations
IT security polices within an organization typically encompass the following areas:
Acceptable Use
Organization Security
IT Asset Classification
Personnel Security
Physical & Environmental Security
Authentication & Access Controls (e.g., guest, employees, remote, business partners, etc.)
Business Continuity
Data/Information Security (e.g., encryption, data classification, e-commerce, DLP)
Network & Firewall
Incident Response Policy
22
IT Security Policy Considerations
Why is IT policy important? Think of a situation that could have been or can be prevented had an IT policy been in place?
List and briefly describe five features for structuring good policy?
What elements should be contained in your policy outline?
23
Group Discussion
IT Policy Management
24
IT Policy Adoption and Management
It is important to a group within the IT Organization who oversees IT Policies and performs compliance audits.
The IT policy group also coordinates with business side of the house regarding HR polices related to IT.
IT policy organization should establish policy life cycle model with processes and procedures e.g., request, create, modify, review, approve, communicate, publish, etc.)
New and/or changes to existing IT policy should require a formal review and approval leveraging IT governance entities
IT Policy Domain Workgroups or Subcommittees shall review IT polices on a annual basis to examine waiver patterns, relevancy, and alignment and recommend changes to higher level governance entity
25
IT Policy Adoption and Management
There should be a IT policy waiver process to grant exceptions on a temporary basis. The IT policy waiver process should be linked to risk management and audit compliance processes as well.
IT Policy Dashboard should be maintained to provide the stakeholder community with a transparent and high-level reporting mechanism for all IT polices currently in the governance process
Create a policy glossary to be referenced as a common standard language of terminology and definitions to ensure consistency when developing policy
Establish routine (20-day review), expedited (10-day review), and emergency (as determined by CIO or CISO) process categories to be able to make IT policy changes in a timely manor based on the situation
Leverage a robust EDMS with configurable workflow process to facilitate the IT Policy LSM processes.
26
IT Policy Adoption and Management
Policy Reference Matrix
A policy matrix should be developed and maintained; typically a source or record for the IT Policy Dashboard
This matrix maps existing policies with other policies. This provides IT policy stakeholders with a reference to what policies may affect other policies, particularly if a policy is modified or rescinded
The policy matrix captures all published policies and their current status (active, create, modify, rescinded, etc.)
The policy matrix captures information on whether a policy has Product Standards references
The policy matrix captures the IT policy Business Owner
The IT policy coordinator should review the policy matrix on a routine basis and provide the necessary revisions based on the current IT policy environment
The policy matrix is usually an internal IT document but it can be made available at the request of policy stakeholders
27
IT Policy Adoption and Management
Key Steps in IT Policy Creation
Determine Need (new policy or changes to existing policy)
Request Submission (New of Change)
Policy request and approval
Research, Evaluation, & SME consultation (Impacts, standards, exist references, requirements, scope, costs, enforceability, etc.)
Draft initial draft policy document
Stakeholder initial review and feedback on draft policy document
Evaluation and consideration of feedback/recommendations
Revisions and creation of final policy draft
Stakeholder secondary review and feedback
Evaluation and consideration of feedback/recommendations
Create signature ready IT Policy
Final Policy Approval
Communications to stakeholders
Publication
28
29
30
IT Policy Adoption and Management
Important to establish a IT policy lifecycle management program from creation to recension.
Formal process should exist for the following:
Policy Change Management
Policy Release Management
Policy Audit & Compliance Management
Policy Records Management
31
IT Security Policy Considerations
Why is it important to require new and/or changes to existing IT policy ?
What is the importance of establishing IT Policy Dashboard, Matrix, and Glossary?
What key processes should be established to support the lifecycle management of IT policies?
32
Group Discussion
Assignments
Chapter 8 (IT Managers Handbook)
Homework 4: IT Policy Management & Procedures
33
