IT Policies What Policies do all IT Organizations need? November 2008 OC CIO Roundtable Andy King, Exemplis Corporation

Table of Contents Policy Defined Some Reasons for IT Policies Where it Fits in the realm of an IT organization List of IT Policies It looks like we should all have the following policies… Discussion Appendix Example of an IT Policy References

Policy Defined

Some Reasons for IT Policies

Where it Fits in the realm of an IT organization

List of IT Policies

It looks like we should all have the following policies…

Discussion

Appendix

Example of an IT Policy

References

Policy Definition American Heritage Dictionary A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters : As an example, an American foreign policy; the company's personnel policy. A course of action, guiding principle, or procedure considered expedient, prudent, or advantageous: Honesty is the best policy. Prudence, shrewdness, or sagacity in practical matters. The American Heritage® Dictionary of the English Language, Fourth Edition Copyright © 2006 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.

Some Reasons for IT Policies To prevent abuse of IT resources, protect ownership and employees Provide guidelines in decision making with IT management Integrate with corporate governance Meet regulatory, legal, and ethical requirements

To prevent abuse of IT resources, protect ownership and employees

Provide guidelines in decision making with IT management

Integrate with corporate governance

Meet regulatory, legal, and ethical requirements

Where IT Policies fit in an organization IT Governance Description: Used by Boards of Directors to evaluate, direct, and monitor the use of IT in their organizations IT Policy and Procedures Description: Used to describe specific IT related guidance and steps to conduct work actions and decisions IT Management Description: Used to implement business objectives in IT using direction from CIO/Head of IT, policies, and procedures

IT Governance Description:

Used by Boards of Directors to evaluate, direct, and monitor the use of IT in their organizations

IT Policy and Procedures Description:

Used to describe specific IT related guidance and steps to conduct work actions and decisions

IT Management Description:

Used to implement business objectives in IT using direction from CIO/Head of IT, policies, and procedures

Where IT Policies Fit CIO IT Governance IT Policies & Procedures IT Management Corporate Governance Company Policies & Procedures A significant cornerstone of the IT framework

List of IT Policies* Security (see next slide for details) Network/Infrastructure Hardware Software Residential Network E-mail External Vendors *Northwestern University Policies and Guidelines

Security (see next slide for details)

Network/Infrastructure

Hardware

Software

Residential Network

E-mail

External Vendors

Security Policy Data Encryption Asset Disposal Hub/Repeater/Wireless Merchant Card Processing Network Privacy Reporting a Violation Secure handling of social security numbers Use and copying of computer software Use of Computers, Systems, and Networks

Data Encryption

Asset Disposal

Hub/Repeater/Wireless

Merchant Card Processing

Network Privacy

Reporting a Violation

Secure handling of social security numbers

Use and copying of computer software

Use of Computers, Systems, and Networks

List of just about every IT Policy I could find! IT Use Policy for EE’s Internet Acceptable Use Breach of Security Policy Electronic Communication Email List Server Password Server Usage Software Installation Printing VPN Wireless Network General Policy Security Data Encryption Reporting Observed Violations Asset Disposal Point of Sale Secure handling of social security Technology acquisition, development, and deployment of Information Technology Bulk email approval Virus and Spyware External Vendor Visitor Access Anti-Malware Lockdown Privacy Back up and restore E-commerce Domain controller Mobile computing IT management Patch management To ensure support of Business Continuity Planning Do you have any others?

IT Use Policy for EE’s

Internet Acceptable Use

Breach of Security Policy

Electronic Communication

Email List Server

Password

Server Usage

Software Installation

Printing

VPN

Wireless Network

General Policy

Security

Data Encryption

Reporting Observed Violations

Asset Disposal

Point of Sale

Secure handling of social security

Technology acquisition, development, and deployment of Information Technology

Bulk email approval

Virus and Spyware

External Vendor

Visitor Access

Anti-Malware

Lockdown

Privacy

Back up and restore

E-commerce

Domain controller

Mobile computing

IT management

Patch management

To ensure support of Business Continuity Planning

Appendix: Policy Examples (see handouts) University of Michigan-Flint The University of Tennessee Murdoch University Yale University Northwestern University (Wow!) Government of Bihar (Interesting) Services/Tools ( not an endorsement ) AltiusIT BizManualz (www.bizmanualz.com)

Policy Examples (see handouts)

University of Michigan-Flint

The University of Tennessee

Murdoch University

Yale University

Northwestern University (Wow!)

Government of Bihar (Interesting)

Services/Tools ( not an endorsement )

AltiusIT

BizManualz (www.bizmanualz.com)

Reference Items: http://www.itgi.org/ IT Governance Institute The American Heritage® Dictionary of the English Language, Fourth Edition British Standard ISO/IEC 38500:2008; Corporate Governance of information technology Wikipedia: Information Technology Governance ScienceDaily: Obama and McCain’s Technology Polices Examined

http://www.itgi.org/ IT Governance Institute

The American Heritage® Dictionary of the English Language, Fourth Edition

British Standard ISO/IEC 38500:2008; Corporate Governance of information technology

Wikipedia: Information Technology Governance

ScienceDaily: Obama and McCain’s Technology Polices Examined