This document discusses IT policies, procedures, guidelines, and standards. It defines each term and explains that policies establish principles and rules to govern organizational actions, while procedures provide specific instructions to implement policies. Guidelines are recommended best practices, while standards provide a basis for comparison. The document notes that written policies and procedures help ensure consistency, manage risk, and prove due diligence. It provides tips for writing good policies and procedures, including making them clear, specific, enforceable, and flexible. The document also discusses when a procedure is needed to support a policy.
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Harrisburg University ISEM 547 IT Policy Objectives
1. Harrisburg University
ISEM 547
IT Policy
Objectives
Why Policy?
Policy, Procedures, Guidelines
Writing IT Policy (Best Practices)
IT Policy Management
2
IT Policy
3
2. What is Policy, Procedures, Guidelines & Standards ?
Policy: are principles, rules, and protocols formulated or
adopted by an organization to govern its actions.
The requirements outlined in policies, are used to control and
guide important organizational decisions (e.g., managerial,
financial, administrative, acquisitions, contractual,
programmatic, operational, technical, etc.); within the
boundaries set by them
Procedures are specific instructions to be used to implement
policy requirements in a specific way; they are enforceable
through the policy
Guidelines are general rules, practices, and/or instructions that
can be referenced to comply with policy; they are not
enforceable but recommended as best practices that should be
followed
Standards: refer to something that is considered by an authority
or by general consent as a basis of comparison (e.g., industry,
protocols, academic, etc.)
The purpose of standards is to outline agreed principles or
criteria, so that their users can make reliable assumptions about
a particular product, service or practice
Standards are often referenced in policies or can be used to
frame a policy
Policies should have a formal lifecycle and change management
process
4
3. Why IT Policy is Important
Primary reasons for IT Policy:
Protecting corporate assets (keeping systems and corporate
information safe)
The policy aligns stakeholders and drives desired behaviors,
actions, and provides guidance on how to do things
Only written and published policy can be used to prove the
company has exercised “Due Diligence” in a court of law
There may be legal or regulatory reasons a policy must be
created and published (e.g., HIPAA, FTI1075, Federal Green-
Book Standard, etc.)
Enable an organization to manage business risk through defined
controls that provide a benchmark for audit and corrective
action
Without documented policies and procedures each and every
employee and contractor will act in accordance with their own
perception of acceptable use and system management will be
ad-hoc and inconsistent
5
Features of good policy
Features of good policy usually include the following
Specific- Policy should be specific/definite. If it is uncertain,
then the implementation will become difficult.
Clear & Understandable - Policy must be unambiguous. It
should avoid use of jargons and connotations. There should be
no misunderstandings in following the policy. Unclear policies
can lead to indecisiveness and uncertainty in minds of those
4. who look into it for guidance
Uniform- Policy must be uniform enough so that it can be
efficiently followed by the subordinates.
Appropriate- Policy should be appropriate to the present
organizational strategies and goals and address the intended
policy objectives.
Simple- A policy should be simple and easily understood by all
in the organization.
Inclusive/Comprehensive- In order to have a wide scope, a
policy must be comprehensive.
Flexible- Policy should be flexible in operation/application.
This does not imply that a policy should be altered always, but
it should be wide in scope so as to ensure that the line managers
use them in repetitive/routine scenarios.
Enforceable- Policy should be monitored with established
criteria as to how it will be enforced and determine compliance
Doable- ensure that the policy can be successfully implemented
and not so restrictive or costly that the mission of the
organization is placed at risk.
6
IT Policy
Types of Policy
7
IT Policy Types & Domains?
5. Policy Types
General Program Policy: sets the strategic directions of the
enterprise for global behavior and assigns resources for its
implementation( e.g., conflict of interest, codes or standards of
conduct, etc.)
Topic Specific Policy: addresses specific issues of concern to
the organization (e.g., e-mail, Internet usage, social media,
physical security, application development, systems
maintenance, BYOD, etc.)
System/Application –Specific Policy: focus is on decisions
taken by management protect a particular application or system
(e.g., controls for financial management associated with AP,
AR, business expenses; employee appraisal system, etc.)
Each ITP is categorized based on its primary subject matter.
This categorization is called a domain.
IT Policy Domains
Security
Applications & Software
Architecture/Infrastructure
Services
Project Management
Procurement
IT Finance & Budgeting
8
Creating IT Policies
6. 9
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing
IT policy?
What is the problem or issue(s) that you are trying to solve?
Has a risk assessment been completed and validated the extent
of the potential risks involved with the problem or issue(s)
(e.g., financial, legal, public relations, security vulnerability,
etc.) ?
How would a policy assist in remediating or mitigating the
problem or issue(s)?
Can the problem or issue(s) be resolved by creating new or
changing existing standard operating procedure (SOP),
guideline, process, and/or training program?
How will the policy effect/impact your stakeholders?
Will this policy apply to the entire community or a subset?
10
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing
7. IT policy?
Will this policy apply to the entire community or a subset?
Will this policy apply to users of a given product/service,
regardless of their affiliation (e.g., O365 users, SAP users,
windows machines, etc.)?
Will any costs be involved in implementing this policy?
How will your policy clarify how IS/IT does its business?
Will this policy impact your business partners and/or require
contract modifications (e.g., background checks, nondisclosure
agreements, security controls, product reference listings, etc.)?
Engage stakeholders and inquire as to what other factors should
be evaluated and/or considered when creating this policy?
How would a policy impact customers in accessing and using
your business and/or IT services?
11
Creating IT Policy – Getting Started
Determining need for and framing a new or revisions to existing
IT policy?
What teams are responsible for the product and/or service area
that is impacted by this policy?
Are there multiple teams? How will these teams coordinate the
administration of the policy?
Will any costs be involved in implementing this policy?
Is there any other related document that you want to refer to or
incorporate in your policy (e.g., procedures, guidelines,
Standards, other policies, etc.)?
Who is the policy owner (considered the source of the authority
8. for this policy)?
Who shall review and approve this policy?
Note: The some of above information may appear in your
policy, but it will confirm for you whether or not you really
need a policy.
12
Creating IT Policy – Getting Started
When developing policy, need to be careful in saying too much
or saying too little. The more complex and detailed the policy,
the higher degree of maintenance and training required
Policies should be written at a high level and incorporate
standards, procedures, and/or guidelines to provide those
affected by the policy with methods for implementing and
ensuring compliance
When incorporating standards, ensure the standards are
reasonable, relevant, flexible, and current
Conduct research for existing policy examples that can be
referenced
13
Creating IT Policy – Getting Started
9. Consult with subject matter experts and stakeholders when
drafting the policy (e.g., policy content and understanding
impacts)
Do not embed the content of procedures, guidelines, and
industry standards in the policy document. Should reference
them but keep them as separate documents.
Sometimes, a policy has progressive discipline actions. For
example, policy language can list the situation: for the first
offense, you will receive sanction 1, for the second offense, you
will receive sanction 2, etc. Your policy language should state
that the sanctions are enforced and are in the best interest of the
service provider and the larger community.
Should be written keeping in mind the features of good policy
14
Creating IT Policy - Draft
Draft the language
Now that you have your information, you are ready to write a
draft.
Who will write the draft?
Don't assume that the team's content expert should be the person
to write the draft.
Find out who is the most experienced writer on your team
(could be the content expert) and ask that person to write the
first draft.
The first draft is important because it sets the tone you want to
10. present for the policy.
15
Creating IT Policy – Draft Suggestions
Here are some suggestions to help you write your draft:
Create a brief outline of the topics you want to cover
State clearly what your stakeholders can and cannot do
Explain how to correct an action
Include any terms that might be confusing to the customer and
provide definitions
If appropriate, list any special circumstances in which this
policy would not apply
If appropriate, include any time constraints (e.g., does this
policy apply only at the beginning or end of the a specific
business cycle, or only at tax time)?
16
Policy Elements
IT policy document should contain the following sections:
Organization Name & Logo
Policy Title
11. Policy Number (logical number sequence and categorized by
policy domain area)
Date the policy was written
Date policy was last revised
Date the policy will be effective
Policy Statement
Purpose
Scope/Jurisdiction
Objectives
Definitions
Policy Requirements & Controls
References
The organization who is responsible for policy lifecycle
management usually facilitate the creation and maintenance of
polices and IT Governance Charters
17
Creating IT Policy – Suggestions
Review and get final approval
It's time to send the draft out for review.
Send the draft to the appropriate reviewers and let them know
that this is a draft and that their comments are welcomed
If you receive comments that are confusing, unclear, or
contradict other's points of view, consider conducting a face to
face meeting to review all the comments. That way, you will
ensure that everyone has heard all the suggested changes and
has agreed on the revised wording.
Where appropriate, incorporate the comments and be sure you
indicate these changes.
12. Circulate the draft again until everyone agrees on the wording
Send the policy to the approver(s) for a final approval
18
Creating IT Policy –Suggestions
Communicate to the Stakeholders
You have final approval for your policy and are ready to make
it public
How do you want to promote this policy? What medium and
communications channels will be used to promote the policy?
Corporate Home page or IT Intranet site, CIO newsletter,
webinars, forums, visits to departments direct mail, and/or
campus-wide email?
What is the timing for this policy (immediate, phased, big-
bang)?
Depending on the breadth and impact of the policy, you might
choose different strategies
Certain corporate and IT polices require reoccurring training
certain times during the calendar year or every 2-5 years.
19
Creating IT Policy – Suggestions
13. Recommended bodies to use reference for IT Policies:
National Institute of Standards and Technology (NIST)
American National Standards Institute (ANSI)
Gartner Inc.
Institute of Electrical and Electronics Engineers (IEEE)
20
IT Security Policy Considerations
Every organization should have a strategy for how it will
implement Information Security principles, technologies, and
policies
All these require, in some form, a written IT security policy:
PCI Data Security Standard (DSS)
Health Insurance Portability and Accountability Act (HIPAA)
HITECH Act
Sarbanes-Oxley Act (SOX)
ISO family of security standards
Graham-Leach-Bliley Act (GLBA)
21
14. IT Security Policy Considerations
IT security polices within an organization typically encompass
the following areas:
Acceptable Use
Organization Security
IT Asset Classification
Personnel Security
Physical & Environmental Security
Authentication & Access Controls (e.g., guest, employees,
remote, business partners, etc.)
Business Continuity
Data/Information Security (e.g., encryption, data classification,
e-commerce, DLP)
Network & Firewall
Incident Response Policy
22
IT Security Policy Considerations
Why is IT policy important? Think of a situation that could
have been or can be prevented had an IT policy been in place?
List and briefly describe five features for structuring good
policy?
What elements should be contained in your policy outline?
15. 23
Group Discussion
IT Policy Management
24
IT Policy Adoption and Management
It is important to a group within the IT Organization who
oversees IT Policies and performs compliance audits.
The IT policy group also coordinates with business side of the
house regarding HR polices related to IT.
IT policy organization should establish policy life cycle model
with processes and procedures e.g., request, create, modify,
review, approve, communicate, publish, etc.)
New and/or changes to existing IT policy should require a
formal review and approval leveraging IT governance entities
IT Policy Domain Workgroups or Subcommittees shall review
IT polices on a annual basis to examine waiver patterns,
relevancy, and alignment and recommend changes to higher
level governance entity
25
16. IT Policy Adoption and Management
There should be a IT policy waiver process to grant exceptions
on a temporary basis. The IT policy waiver process should be
linked to risk management and audit compliance processes as
well.
IT Policy Dashboard should be maintained to provide the
stakeholder community with a transparent and high-level
reporting mechanism for all IT polices currently in the
governance process
Create a policy glossary to be referenced as a common standard
language of terminology and definitions to ensure consistency
when developing policy
Establish routine (20-day review), expedited (10-day review),
and emergency (as determined by CIO or CISO) process
categories to be able to make IT policy changes in a timely
manor based on the situation
Leverage a robust EDMS with configurable workflow process to
facilitate the IT Policy LSM processes.
26
IT Policy Adoption and Management
Policy Reference Matrix
A policy matrix should be developed and maintained; typically
a source or record for the IT Policy Dashboard
This matrix maps existing policies with other policies. This
provides IT policy stakeholders with a reference to what
policies may affect other policies, particularly if a policy is
modified or rescinded
The policy matrix captures all published policies and their
17. current status (active, create, modify, rescinded, etc.)
The policy matrix captures information on whether a policy has
Product Standards references
The policy matrix captures the IT policy Business Owner
The IT policy coordinator should review the policy matrix on a
routine basis and provide the necessary revisions based on the
current IT policy environment
The policy matrix is usually an internal IT document but it can
be made available at the request of policy stakeholders
27
IT Policy Adoption and Management
Key Steps in IT Policy Creation
Determine Need (new policy or changes to existing policy)
Request Submission (New of Change)
Policy request and approval
Research, Evaluation, & SME consultation (Impacts, standards,
exist references, requirements, scope, costs, enforceability, etc.)
Draft initial draft policy document
Stakeholder initial review and feedback on draft policy
document
Evaluation and consideration of feedback/recommendations
Revisions and creation of final policy draft
Stakeholder secondary review and feedback
Evaluation and consideration of feedback/recommendations
Create signature ready IT Policy
Final Policy Approval
Communications to stakeholders
Publication
18. 28
29
30
IT Policy Adoption and Management
Important to establish a IT policy lifecycle management
program from creation to recension.
Formal process should exist for the following:
Policy Change Management
Policy Release Management
Policy Audit & Compliance Management
Policy Records Management
19. 31
IT Security Policy Considerations
Why is it important to require new and/or changes to existing IT
policy ?
What is the importance of establishing IT Policy Dashboard,
Matrix, and Glossary?
What key processes should be established to support the
lifecycle management of IT policies?
32
Group Discussion
Assignments
Chapter 8 (IT Managers Handbook)
Homework 4: IT Policy Management & Procedures
33
20. Harrisburg University
ISEM 547
IT Policy Procedures
Objectives
Policy, Procedure, Guidelines, Standards
When do you need a procedure
Creating Procedures Considerations
Guides to writing procedures
2
What are Policies, Procedures, Guidelines & Standards ?
Policy: are principles, rules, and protocols formulated or
adopted by an organization to govern its actions.
Procedures are specific instructions to be used to implement
policy requirements in a specific way; they are enforceable
through the policy. Procedures are action oriented, factual and
instructional.
Procedures are often integral components in policies outlining
the particular actions or steps to meet policy compliance
requirements
21. Guidelines are general rules, practices, and/or instructions that
can be referenced to comply with policy; they are not
enforceable but recommended as best practices that should be
followed
Standards: refer to something that is considered by an authority
or by general consent as a basis of comparison (e.g., industry,
protocols, academic, etc.)
Standards are often referenced in policies or can be used to
frame a policy
3
Creating Procedures
4
When do you need a procedure?
Not everything or IT policy needs a procedure.
The number-one rule of procedure writing is to make sure
there's a reason to create a procedure
Polices require specific processes or protocols are to be
followed for compliance
22. Staff forget to take certain actions, perhaps they keep on getting
things wrong
Tasks are so long and complex that people need guidance on
doing things right
Serious consequences result when a process if done wrong
When a process or situation demands consistency
A written procedure is necessary only if the issue is important
or if there will be a significant benefit from clarifying a process
or outlining specific actions required for policy compliance.
5
Procedures
6
Creating Procedures - Considerations
Good procedure means understanding the process and the
environment (things that influence or integrate with process)
Procedures documents will vary in specific features, based on
the type of information that is detailed.
Effective procedure documents are those that have clear and
consistent formatting so that readers know how to follow the
material.
Paragraphs should begin and end without confusion so readers
23. should not have to wonder where one step ends and another
begins.
In describing steps: use strong action verbs, provide enough
specificity and explanations to ensure that readers know exactly
what to do
Embed relevant icons, images, graphs/charts, flow charts, or
tables in the procedures to guide and facilitate understanding.
7
Procedures
8
Creating Procedures - Considerations
The writing style for a procedure document should rely on clear
and concise language.
All procedural information should be accurate, and any
acronyms should be clarified for instance, the "Food and Drug
Administration (FDA)."
For procedure document that will be in circulation for some
time, avoid using specific information that might become
outdated quickly.
Technical language and jargon that will be unfamiliar to most,
should be clearly defined (SaaS, DR, COTS, DDOS, MIPS,
etc….).
24. 9
Creating Procedures - Considerations
Effective procedure documents should be in outline format with
clear headings, sub-headings, and labels (Diagrams & tables).
Those responsible for writing procedure documents are also
responsible for reviewing them periodically.
If the information is not effective in helping employees, or
attaining the desired outcomes; then the procedure should be
revised and improved
10
Creating Procedures - Considerations
Writing a procedure that is accurate, brief, and readable isn't
always easy. But, with a bit of knowledge and practice, you can
learn effective procedure-writing skills.
Well-written procedures help improve productivity and the
quality of work within your organization
Ensure that the people who need to use a procedure have not
only read it, but also understand and have used it.
Validate procedure before publication
11
25. Creating Procedures
12
Creating Procedures – Starting Block
The key planning activities for writing effective procedures is
to research and gain a keen understand the process that the
procedure will document
Have a clear understanding of the purpose, scope, objectives,
circumstances, and target audience of the procedure
Research and collect information (consulting with subject
matter experts, observe and interview process owners and
process doers)
13
Creating Procedures – Starting Block
Procedure document should be derived from what you have
learned from the planning phase
Once the research an planning phase is complete, define the
26. core functions being performed, associated processes and sub
processes (e.g., inputs, outputs, steps, activities, logical
sequencing, interdependencies, resources, location, etc.)
Integrate meaningful illustrative components such as process
maps, flow-charts, outlines, examples, and value streams
14
Creating Procedures – Illustrations Helpful
15
Creating Procedures – Illustrations Helpful
16Budget ScheduleItemQ1Q2Q3Q4OwnerBudget
AnalysisxxxxCFO, COO, VPsBudget RequestVP & Department
HeadsIncome StatementxxxxFinance & AccountingSales
ForecastxSales & MarketingCustomer AnalysisxxSales &
MarketingStaffing AnalysisxHuman Resources & Department
27. Heads
Creating Procedures – Illustrations Helpful
17Business Systems Technical Specification Compliance
RequirementsItemSystem 1System 2System 3System
4OwnerTechnical Specification AxxxxSecurityTechnical
Specification Bx
x
N/Ax
Infrastructure & OperationsTechnical Specification
CxN/AxxApplicationsTechnical Specification D N/A
xN/A
N/A
Help DeskTechnical Specification E N/A
x N/A
xEnterprise MessagingTechnical Specification F X
N/A
xN/A
EDC
Creating Procedures
Core Steps
18
28. Creating Procedures – Core Steps
Preparation:
Conduct research
Provide a purpose statement (why this procedure)
Provide an overview of the procedure
Identify prerequisite knowledge and skills, if any
Highlight any specific issues and other precautions
Define list of recourses, systems, equipment, supplies, or parts
needed for the procedure
19
Creating Procedures – Core Steps
Writing Procedure
Define a logical sequence of steps and substeps
Define decisions and decision criteria
Ensure clarity and economy of words.
Write to the level of the reader's ability
Define unfamiliar terms
Include hints and helps
Add illustrations, analogies, models, charts, pictures,
workflows, tables, or anything that will aid understanding of the
process and steps involved
29. 20
Creating Procedures – Core Steps
Validate
Walk through and/or pilot test your procedure. Obtain feedback
and recommendations from the target audience during this step.
Is it understandable, effective, complete? Does it produce the
desired results?
Revise & Revalidate
Evaluate and incorporate the feedback and recommendations
and then retest and validate. Finalize the procedure document.
Publish
Issue the procedure document and establish mechanisms to
periodically review to determine accuracy and relevancy as
things may change within the environment or policy.
21
Creating Procedures
Procedure Document Outline
22
30. Creating Procedures - Outline
Title page. This includes 1) the title of the procedure, 2)
identification number, 3) date of issue and last revision, 4) the
name of the agency/division/branch the SOP applies to, and 5)
the owner and author(s) of procedure.
Table of Contents. This is only necessary if your procedure is
quite long, allowing for ease of reference. A simple standard
outline is what you'd find here.
Purpose. Define the reason and rationale for the procedure.
Include applicable policies, standards, and/or regulatory
requirements that may be affiliated or driving need for
procedure document
Scope and applicability. describe who shall follow, and how and
when it's used. Include policies, standards, regulatory
requirements, roles and responsibilities, and locations.
23
Creating Procedures - Outline
Overview. Provide an synopsis of the procedure and processes
outlined in the document
Methodology and procedures. The meat of the issue -- list all
the processes and steps with necessary details, including
resources, inputs, outputs, sequential procedures, decision
criteria, approvals, exceptions, and relationships to business
and/or IT operations.
31. Clarification of terminology. Identify acronyms, abbreviations,
and all phrases that aren't common.
Resources. Complete list of what is needed and when, where to
find systems, equipment, supplies, etc. (If required)
References. Be sure to list all cited or significant references. If
you reference other SOPs, be sure to attach the necessary
information in the appendix
Appendix. Section to append additional support documentation
(if required)
24
Procedures
Typically, under what circumstances do you require a
procedure?
What are the core steps in creating a procedure document?
Why is it important to validate the procedure?
Does anyone use or occasionally refer to procedures in their
work environment?
25
Group Discussion
Assignments
Chapter 8 (IT Managers Handbook)
Homework 3: IT Policy Management
Project 2:
Part A: Create an IT Governance Matrix
32. Part B: Create a Governance Charter for Enterprise Security
Committee
Part C: Write a Information Security Policy for Data
Classifications
26