IT Policy- the “law” that will govern processes/procedures within the area of IT.
The Role of IT Policy:
The policy serves as a protocol and reference created by senior management in the IT Department (depending on the company) that guides the procedures and decisions for successful operations.
- From a committee for policy development- The committee should consist of individuals from different areas within IT as well as different areas of the business. This representation will allow for input from the various areas which is important because the policy will affect the entire business and not just the IT Department.
- Develop general contents: “statement of purpose, description of the users affected, history of revisions (if applicable), definitions of any special terms, and specific policy instructions from management” (Bryant, 2006).- These contents are important because it gives some uniformity to the policy which can make the policy easier to understand and implement.
- “Research related issues both inside and outside the company- One of the biggest mistakes many companies often make when they begin designing policies is to create guidelines and restrictions without any understanding of how the company’s business actually works” (Bryant, 2006).
- Make sure the policy has a high level of understand-ability – Although the policy is geared toward various subject matter in the use of IT, it should not be heavy in techie language. Many people outside of IT do not understand the technical terms; thus, the policy should be created with layman’s terms when possible. This allows the intended audience to easily understand the policy and also gives more room to easily implement and enforce. Nevertheless, there are some times when technical terms must be used. In this case, there should be some type of glossary or list of terms defined for the reader.
- Conduct various meetings for the organization- the sole purpose of these meeting will be to discuss the policy and make sure that there is a clear understanding. Doing this holds everyone accountable, and no one can say that they didn’t know about the policy. Meetings should also be held for updates to the policy; although sending out a memo with those updates may be more feasible for some organizations.
- Yearly policy reviews and/or updates- a multitude of changes can occur within a year’s time. Policies should be reviewed at least once a year and changes should be made as needed.
- Define usage of policy and protect against unauthorized access to certain content- Some organizations may need to include certain content in the policy that is exclusive for employees and not outside users or for certain internal areas and not the whole organization. Access should be defined and areas should be protected as necessary.
- Enforce policy- define within the policy the consequences of violations and strictly enforce them. If the policy is not enforced as violations occur, more and more violations will begin to occur and exceptions will continuously expect to be made.
- Risk Management- this needs to be taken into account when creating the IT policy because it helps identify, assess, and prioritize risks. Risks should definitely be including within the policy in a way that gives an understanding of the risk and what to do to avoid the risk and what to do in case the risk actually occurs.
Tools, Techniques, Best Practices:
- CoBIT- COBIT enables clear policy development and good practice for IT control throughout organizations (IT Governance Institute, 2007).
- Include a variety of topics or policies- i.e., Acceptable Use, Information Security Policy, Access Control, Internet and Email, etc.
- Use other policies as a tool- Referencing IT policies from organizations in similar industries can be useful when developing a policy. However, the organization should tailor their policy to fit their personal needs.