Homework 04
IT Policies & Procedures
1. What is the difference and relationship between policies, procedures, guidelines, and standards?
2. Why is IT policy important?
3. Think of a situation that could have been or can be prevented had an IT policy been in place; please explain.
4. List and briefly describe five features for structuring good policy?
5. Identify and explain elements should be contained in your policy outline?
6. Why is it important to have a policy waiver process established?
7. Explain the difference between IT policy dashboard and reference matrix. Secondly, explain the importance of each in effectively managing IT policies.
8. Outline the core steps involved in creating a procedures?
9. Describe the three types of administrative, technical, and physical controls (9-Total) that an auditor would evaluate? Secondly, provide an examples of each control and relevance to protecting corporate assets?
Harrisburg University
ISEM 547
IT Policy Procedures
Objectives
Policy, Procedure, Guidelines, Standards
When do you need a procedure
Creating Procedures Considerations
Guides to writing procedures
2
What are Policies, Procedures, Guidelines & Standards ?
Policy: are principles, rules, and protocols formulated or adopted by an organization to govern its actions.
Procedures are specific instructions to be used to implement policy requirements in a specific way; they are enforceable through the policy. Procedures are action oriented, factual and instructional.
Procedures are often integral components in policies outlining the particular actions or steps to meet policy compliance requirements
Guidelines are general rules, practices, and/or instructions that can be referenced to comply with policy; they are not enforceable but recommended as best practices that should be followed
Standards: refer to something that is considered by an authority or by general consent as a basis of comparison (e.g., industry, protocols, academic, etc.)
Standards are often referenced in policies or can be used to frame a policy
3
Creating Procedures
4
When do you need a procedure?
Not everything or IT policy needs a procedure.
The number-one rule of procedure writing is to make sure there’s a reason to create a procedure
Polices require specific processes or protocols are to be followed for compliance
Staff forget to take certain actions, perhaps they keep on getting things wrong
Tasks are so long and complex that people need guidance on doing things right
Serious consequences result when a process if done wrong
When a process or situation demands consistency
A written procedure is necessary only if the issue is important or if there will be a significant benefit from clarifying a process or outlining specific actions required for policy compliance.
5
Procedures
6
Creating Procedures – Considerations
Good procedure means understanding the process and the environment (things that influence or integrate with process)
Procedures documents will vary in specific features, based on the type of information that is detailed.
Effective procedure documents are those that have clear and consistent formatting so that readers know how to follow the material.
Paragraphs should begin and end without confusion so readers should not have to wonder where one step ends and another begins.
In describing steps: use strong action verbs, provide enough specificity and explanations to ensure that readers know exactly what to do
Embed relevant icons, images, graphs/charts, flow charts, or tables in the procedures to guide and facilitate understanding.
7
Procedures
8
Creating Procedures – Considerations
The writing style for a procedure document should rely on clear and concise language.
All procedural information should be accurate, and any acronyms should be clarified for instance, the “Food and Drug Administration (FDA).”
For procedure document that will be in circulation for some time, avoid using specific information that might become outdated quickly.
Technical language and jargon that will be unfamiliar to most, should be clearly defined (SaaS, DR, COTS, DDOS, MIPS, etc….).
9
Creating Procedures – Considerations
Effective procedure documents should be in outline format with clear headings, sub-headings, and labels (Diagrams & tables).
Those responsible for writing procedure documents are also responsible for reviewing them periodically.
If the information is not effective in helping employees, or attaining the desired outcomes; then the procedure should be revised and improved
10
Creating Procedures – Considerations
Writing a procedure that is accurate, brief, and readable isn’t always easy. But, with a bit of knowledge and practice, you can learn effective procedure-writing skills.
Well-written procedures help improve productivity and the quality of work within your organization
Ensure that the people who need to use a procedure have not only read it, but also understand and have used it.
Validate procedure before publication
11
Creating Procedures
12
Creating Procedures – Starting Block
The key planning activities for writing effective procedures is to research and gain a keen understand the process that the procedure will document
Have a clear understanding of the purpose, scope, objectives, circumstances, and target audience of the procedure
Research and collect information (consulting with subject matter experts, observe and interview process owners and process doers)
13
Creating Procedures – Starting Block
Procedure document should be derived from what you have learned from the planning phase
Once the research an planning phase is complete, define the core functions being performed, associated processes and sub processes (e.g., inputs, outputs, steps, activities, logical sequencing, interdependencies, resources, location, etc.)
Integrate meaningful illustrative components such as process maps, flow-charts, outlines, examples, and value streams
14
Creating Procedures – Illustrations Helpful
15
Creating Procedures – Illustrations Helpful
16
Budget Schedule
Item Q1 Q2 Q3 Q4 Owner
Budget Analysis x x x x CFO, COO, VPs
Budget Request VP & Department Heads
Income Statement x x x x Finance & Accounting
Sales Forecast x Sales & Marketing
Customer Analysis x x Sales & Marketing
Staffing Analysis x Human Resources & Department Heads
Creating Procedures – Illustrations Helpful
17
Business Systems Technical Specification Compliance Requirements
Item System 1 System 2 System 3 System 4 Owner
Technical Specification A x x x x Security
Technical Specification B x
x
N/A x
Infrastructure & Operations
Technical Specification C x N/A x x Applications
Technical Specification D N/A
x N/A
N/A
Help Desk
Technical Specification E N/A
x N/A
x Enterprise Messaging
Technical Specification F X
N/A
x N/A
EDC
Creating Procedures
Core Steps
18
Creating Procedures – Core Steps
Preparation:
Conduct research
Provide a purpose statement (why this procedure)
Provide an overview of the procedure
Identify prerequisite knowledge and skills, if any
Highlight any specific issues and other precautions
Define list of recourses, systems, equipment, supplies, or parts needed for the procedure
19
Creating Procedures – Core Steps
Writing Procedure
Define a logical sequence of steps and substeps
Define decisions and decision criteria
Ensure clarity and economy of words.
Write to the level of the reader’s ability
Define unfamiliar terms
Include hints and helps
Add illustrations, analogies, models, charts, pictures, workflows, tables, or anything that will aid understanding of the process and steps involved
20
Creating Procedures – Core Steps
Validate
Walk through and/or pilot test your procedure. Obtain feedback and recommendations from the target audience during this step. Is it understandable, effective, complete? Does it produce the desired results?
Revise & Revalidate
Evaluate and incorporate the feedback and recommendations and then retest and validate. Finalize the procedure document.
Publish
Issue the procedure document and establish mechanisms to periodically review to determine accuracy and relevancy as things may change within the environment or policy.
21
Creating Procedures
Procedure Document Outline
22
Creating Procedures – Outline
Title page. This includes 1) the title of the procedure, 2) identification number, 3) date of issue and last revision, 4) the name of the agency/division/branch the SOP applies to, and 5) the owner and author(s) of procedure.
Table of Contents. This is only necessary if your procedure is quite long, allowing for ease of reference. A simple standard outline is what you’d find here.
Purpose. Define the reason and rationale for the procedure. Include applicable policies, standards, and/or regulatory requirements that may be affiliated or driving need for procedure document
Scope and applicability. describe who shall follow, and how and when it’s used. Include policies, standards, regulatory requirements, roles and responsibilities, and locations.
23
Creating Procedures – Outline
Overview. Provide an synopsis of the procedure and processes outlined in the document
Methodology and procedures. The meat of the issue — list all the processes and steps with necessary details, including resources, inputs, outputs, sequential procedures, decision criteria, approvals, exceptions, and relationships to business and/or IT operations.
Clarification of terminology. Identify acronyms, abbreviations, and all phrases that aren’t common.
Resources. Complete list of what is needed and when, where to find systems, equipment, supplies, etc. (If required)
References. Be sure to list all cited or significant references. If you reference other SOPs, be sure to attach the necessary information in the appendix
Appendix. Section to append additional support documentation (if required)
24
Procedures
Typically, under what circumstances do you require a procedure?
What are the core steps in creating a procedure document?
Why is it important to validate the procedure?
Does anyone use or occasionally refer to procedures in their work environment?
25
Group Discussion
Assignments
Chapter 8 (IT Managers Handbook)
Homework 3: IT Policy Management
Project 2:
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications
26
Harrisburg University
ISEM 547
IT Policy
Objectives
Why Policy?
Policy, Procedures, Guidelines
Writing IT Policy (Best Practices)
IT Policy Management
2
IT Policy
3
What is Policy, Procedures, Guidelines & Standards ?
Policy: are principles, rules, and protocols formulated or adopted by an organization to govern its actions.
The requirements outlined in policies, are used to control and guide important organizational decisions (e.g., managerial, financial, administrative, acquisitions, contractual, programmatic, operational, technical, etc.); within the boundaries set by them
Procedures are specific instructions to be used to implement policy requirements in a specific way; they are enforceable through the policy
Guidelines are general rules, practices, and/or instructions that can be referenced to comply with policy; they are not enforceable but recommended as best practices that should be followed
Standards: refer to something that is considered by an authority or by general consent as a basis of comparison (e.g., industry, protocols, academic, etc.)
The purpose of standards is to outline agreed principles or criteria, so that their users can make reliable assumptions about a particular product, service or practice
Standards are often referenced in policies or can be used to frame a policy
Policies should have a formal lifecycle and change management process
4
Why IT Policy is Important
Primary reasons for IT Policy:
Protecting corporate assets (keeping systems and corporate information safe)
The policy aligns stakeholders and drives desired behaviors, actions, and provides guidance on how to do things
Only written and published policy can be used to prove the company has exercised “Due Diligence” in a court of law
There may be legal or regulatory reasons a policy must be created and published (e.g., HIPAA, FTI1075, Federal Green-Book Standard, etc.)
Enable an organization to manage business risk through defined controls that provide a benchmark for audit and corrective action
Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use and system management will be ad-hoc and inconsistent
5
Features of good policy
Features of good policy usually include the following
Specific- Policy should be specific/definite. If it is uncertain, then the implementation will become difficult.
Clear & Understandable – Policy must be unambiguous. It should avoid use of jargons and connotations. There should be no misunderstandings in following the policy. Unclear policies can lead to indecisiveness and uncertainty in minds of those who look into it for guidance
Uniform- Policy must be uniform enough so that it can be efficiently followed by the subordinates.
Appropriate- Policy should be appropriate to the present organizational strategies and goals and address the intended policy objectives.
Simple- A policy should be simple and easily understood by all in the organization.
Inclusive/Comprehensive- In order to have a wide scope, a policy must be comprehensive.
Flexible- Policy should be flexible in operation/application. This does not imply that a policy should be altered always, but it should be wide in scope so as to ensure that the line managers use them in repetitive/routine scenarios.
Enforceable- Policy should be monitored with established criteria as to how it will be enforced and determine compliance
Doable- ensure that the policy can be successfully implemented and not so restrictive or costly that the mission of the organization is placed at risk.
6
IT Policy
Types of Policy
7
IT Policy Types & Domains?
Policy Types
General Program Policy: sets the strategic directions of the enterprise for global behavior and assigns resources for its implementation( e.g., conflict of interest, codes or standards of conduct, etc.)
Topic Specific Policy: addresses specific issues of concern to the organization (e.g., e-mail, Internet usage, social media, physical security, application development, systems maintenance, BYOD, etc.)
System/Application –Specific Policy: focus is on decisions taken by management protect a particular application or system (e.g., controls for financial management associated with AP, AR, business expenses; employee appraisal system, etc.)
Each ITP is categorized based on its primary subject matter. This categorization is called a domain.
IT Policy Domains
Security
Applications & Software
Architecture/Infrastructure
Services
Project Management
Procurement
IT Finance & Budgeting
8
Creating IT Policies
9
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing IT policy?
What is the problem or issue(s) that you are trying to solve?
Has a risk assessment been completed and validated the extent of the potential risks involved with the problem or issue(s) (e.g., financial, legal, public relations, security vulnerability, etc.) ?
How would a policy assist in remediating or mitigating the problem or issue(s)?
Can the problem or issue(s) be resolved by creating new or changing existing standard operating procedure (SOP), guideline, process, and/or training program?
How will the policy effect/impact your stakeholders?
Will this policy apply to the entire community or a subset?
10
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing IT policy?
Will this policy apply to the entire community or a subset?
Will this policy apply to users of a given product/service, regardless of their affiliation (e.g., O365 users, SAP users, windows machines, etc.)?
Will any costs be involved in implementing this policy?
How will your policy clarify how IS/IT does its business?
Will this policy impact your business partners and/or require contract modifications (e.g., background checks, nondisclosure agreements, security controls, product reference listings, etc.)?
Engage stakeholders and inquire as to what other factors should be evaluated and/or considered when creating this policy?
How would a policy impact customers in accessing and using your business and/or IT services?
11
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing IT policy?
What teams are responsible for the product and/or service area that is impacted by this policy?
Are there multiple teams? How will these teams coordinate the administration of the policy?
Will any costs be involved in implementing this policy?
Is there any other related document that you want to refer to or incorporate in your policy (e.g., procedures, guidelines, Standards, other policies, etc.)?
Who is the policy owner (considered the source of the authority for this policy)?
Who shall review and approve this policy?
Note: The some of above information may appear in your policy, but it will confirm for you whether or not you really need a policy.
12
Creating IT Policy – Getting Started
When developing policy, need to be careful in saying too much or saying too little. The more complex and detailed the policy, the higher degree of maintenance and training required
Policies should be written at a high level and incorporate standards, procedures, and/or guidelines to provide those affected by the policy with methods for implementing and ensuring compliance
When incorporating standards, ensure the standards are reasonable, relevant, flexible, and current
Conduct research for existing policy examples that can be referenced
13
Creating IT Policy – Getting Started
Consult with subject matter experts and stakeholders when drafting the policy (e.g., policy content and understanding impacts)
Do not embed the content of procedures, guidelines, and industry standards in the policy document. Should reference them but keep them as separate documents.
Sometimes, a policy has progressive discipline actions. For example, policy language can list the situation: for the first offense, you will receive sanction 1, for the second offense, you will receive sanction 2, etc. Your policy language should state that the sanctions are enforced and are in the best interest of the service provider and the larger community.
Should be written keeping in mind the features of good policy
14
Creating IT Policy – Draft
Draft the language
Now that you have your information, you are ready to write a draft.
Who will write the draft?
Don’t assume that the team’s content expert should be the person to write the draft.
Find out who is the most experienced writer on your team (could be the content expert) and ask that person to write the first draft.
The first draft is important because it sets the tone you want to present for the policy.
15
Creating IT Policy – Draft Suggestions
Here are some suggestions to help you write your draft:
Create a brief outline of the topics you want to cover
State clearly what your stakeholders can and cannot do
Explain how to correct an action
Include any terms that might be confusing to the customer and provide definitions
If appropriate, list any special circumstances in which this policy would not apply
If appropriate, include any time constraints (e.g., does this policy apply only at the beginning or end of the a specific business cycle, or only at tax time)?
16
Policy Elements
IT policy document should contain the following sections:
Organization Name & Logo
Policy Title
Policy Number (logical number sequence and categorized by policy domain area)
Date the policy was written
Date policy was last revised
Date the policy will be effective
Policy Statement
Purpose
Scope/Jurisdiction
Objectives
Definitions
Policy Requirements & Controls
References
The organization who is responsible for policy lifecycle management usually facilitate the creation and maintenance of polices and IT Governance Charters
17
Creating IT Policy – Suggestions
Review and get final approval
It’s time to send the draft out for review.
Send the draft to the appropriate reviewers and let them know that this is a draft and that their comments are welcomed
If you receive comments that are confusing, unclear, or contradict other’s points of view, consider conducting a face to face meeting to review all the comments. That way, you will ensure that everyone has heard all the suggested changes and has agreed on the revised wording.
Where appropriate, incorporate the comments and be sure you indicate these changes.
Circulate the draft again until everyone agrees on the wording
Send the policy to the approver(s) for a final approval
18
Creating IT Policy –Suggestions
Communicate to the Stakeholders
You have final approval for your policy and are ready to make it public
How do you want to promote this policy? What medium and communications channels will be used to promote the policy?
Corporate Home page or IT Intranet site, CIO newsletter, webinars, forums, visits to departments direct mail, and/or campus-wide email?
What is the timing for this policy (immediate, phased, big-bang)?
Depending on the breadth and impact of the policy, you might choose different strategies
Certain corporate and IT polices require reoccurring training certain times during the calendar year or every 2-5 years.
19
Creating IT Policy – Suggestions
Recommended bodies to use reference for IT Policies:
National Institute of Standards and Technology (NIST)
American National Standards Institute (ANSI)
Gartner Inc.
Institute of Electrical and Electronics Engineers (IEEE)
20
IT Security Policy Considerations
Every organization should have a strategy for how it will implement Information Security principles, technologies, and policies
All these require, in some form, a written IT security policy:
PCI Data Security Standard (DSS)
Health Insurance Portability and Accountability Act (HIPAA)
HITECH Act
Sarbanes-Oxley Act (SOX)
ISO family of security standards
Graham-Leach-Bliley Act (GLBA)
21
IT Security Policy Considerations
IT security polices within an organization typically encompass the following areas:
Acceptable Use
Organization Security
IT Asset Classification
Personnel Security
Physical & Environmental Security
Authentication & Access Controls (e.g., guest, employees, remote, business partners, etc.)
Business Continuity
Data/Information Security (e.g., encryption, data classification, e-commerce, DLP)
Network & Firewall
Incident Response Policy
22
IT Security Policy Considerations
Why is IT policy important? Think of a situation that could have been or can be prevented had an IT policy been in place?
List and briefly describe five features for structuring good policy?
What elements should be contained in your policy outline?
23
Group Discussion
IT Policy Management
24
IT Policy Adoption and Management
It is important to a group within the IT Organization who oversees IT Policies and performs compliance audits.
The IT policy group also coordinates with business side of the house regarding HR polices related to IT.
IT policy organization should establish policy life cycle model with processes and procedures e.g., request, create, modify, review, approve, communicate, publish, etc.)
New and/or changes to existing IT policy should require a formal review and approval leveraging IT governance entities
IT Policy Domain Workgroups or Subcommittees shall review IT polices on a annual basis to examine waiver patterns, relevancy, and alignment and recommend changes to higher level governance entity
25
IT Policy Adoption and Management
There should be a IT policy waiver process to grant exceptions on a temporary basis. The IT policy waiver process should be linked to risk management and audit compliance processes as well.
IT Policy Dashboard should be maintained to provide the stakeholder community with a transparent and high-level reporting mechanism for all IT polices currently in the governance process
Create a policy glossary to be referenced as a common standard language of terminology and definitions to ensure consistency when developing policy
Establish routine (20-day review), expedited (10-day review), and emergency (as determined by CIO or CISO) process categories to be able to make IT policy changes in a timely manor based on the situation
Leverage a robust EDMS with configurable workflow process to facilitate the IT Policy LSM processes.
26
IT Policy Adoption and Management
Policy Reference Matrix
A policy matrix should be developed and maintained; typically a source or record for the IT Policy Dashboard
This matrix maps existing policies with other policies. This provides IT policy stakeholders with a reference to what policies may affect other policies, particularly if a policy is modified or rescinded
The policy matrix captures all published policies and their current status (active, create, modify, rescinded, etc.)
The policy matrix captures information on whether a policy has Product Standards references
The policy matrix captures the IT policy Business Owner
The IT policy coordinator should review the policy matrix on a routine basis and provide the necessary revisions based on the current IT policy environment
The policy matrix is usually an internal IT document but it can be made available at the request of policy stakeholders
27
IT Policy Adoption and Management
Key Steps in IT Policy Creation
Determine Need (new policy or changes to existing policy)
Request Submission (New of Change)
Policy request and approval
Research, Evaluation, & SME consultation (Impacts, standards, exist references, requirements, scope, costs, enforceability, etc.)
Draft initial draft policy document
Stakeholder initial review and feedback on draft policy document
Evaluation and consideration of feedback/recommendations
Revisions and creation of final policy draft
Stakeholder secondary review and feedback
Evaluation and consideration of feedback/recommendations
Create signature ready IT Policy
Final Policy Approval
Communications to stakeholders
Publication
28
29
30
IT Policy Adoption and Management
Important to establish a IT policy lifecycle management program from creation to recension.
Formal process should exist for the following:
Policy Change Management
Policy Release Management
Policy Audit & Compliance Management
Policy Records Management
31
IT Security Policy Considerations
Why is it important to require new and/or changes to existing IT policy ?
What is the importance of establishing IT Policy Dashboard, Matrix, and Glossary?
What key processes should be established to support the lifecycle management of IT policies?
32
Group Discussion
Assignments
Chapter 8 (IT Managers Handbook)
Homework 4: IT Policy Management & Procedures
33