Developing an IT policy framework is the only way to have an effective IT policy model for operations and compliance. In fact, before you do any IT policy work, you should devote some time to defining your enterprise policy framework and how the IT policy framework will fit within it.
Hierarchical Policy Framework
An enterprise policy framework will use various policy instruments which have a hierarchical relationship between them. Although many organizations only use policies to to communicate policy objectives and document procedures there are advantages to using specific instruments for each purpose. This is especially the case when it comes to IT.
Definition of Policy
Define the governing principles or that provide the basis for the required course of action and carry the highest authority in the organization.
Definition of Code
Focused governing principle of business conduct often applied to human behavior such as a Code of Ethics or Code of Conduct. Codes can easily be folded into either policies or standards.
Definition of Standard
Formal mandatory criteria that may be specifications, characteristics, or rules designed to achieve repeated uniformity, quality or ensure conformity with policy.
Definition of Procedure
Specified series of steps, in detail, of accomplishing something such as a behavior, task or processes of importance that is used to adhere to the criteria mandated by standards or policy.
Definition of Guide
A guide or guideline is a suggested or recommended course of action functioning as general rules of principles in an advisory role allowing discretion and judgment.
Enterprise Policy Framework
Although I am referring to this as an enterprise policy framework you could just as easily substitute governance for policy since many organizations practice policy based governance.
There are distinct levels in any enterprise policy framework. The policy levels distinguish themselves by their authority and scope of applicability.
For the typical organization the levels are board, enterprise, and department. In larger organizations you might find a policy model having board, corporate and business unit levels followed by departmental.
The key to designing a multi-level policy framework is to define the policy framework at the enterprise level and how or when a departmental policy (standard, procedure) can be established.
Most important is to define the superior-subordinate relationship between enterprise policy and departmental policy. This usually includes specifying how conflicts are resolved and when you have a decentralized or federated IT operating model.
Within each level you may find some or all of the policy tools in use policies, procedures and standards being used. However it is more common to find policies, standards and procedures in use by IT than most other departments.
Special Policy Considerations
The design of your specific policy framework must be based on what will produce the most effective governance model. That includes considering how to avoid common policy issues such as using a policy when a standard or a procedure is more appropriate. It is not that a policy cannot be used to define a process, rather a policy is often not suitable for a detailed procedure on how a process should operate or the details of a standard.
Another consideration is how often the details are likely to change. A policy, by design, should rarely change because it defines fundamental principles. Whereas a standard will change as technology advances or as your capabilities increase. Procedures also tend to be more dynamic as automation is introduced or process maturity improves.
When it comes to IT policies I often remind people they should be written at an enterprise level and apply to all information and technology systems and services. That includes any systems or applications not directly supported by the IT department much the same way HR policies apply to everyone not just the staff in the HR department.
That does not mean that you still cannot have IT department policies specific to the the systems and services IT supports, it just means they need to be nested within and enterprise policy framework.
Vendors and Technology Service Providers
Your enterprise policy framework must be integrated with your vendor management program as an extension of your enterprise risk management plan.
Remember just because you use a technology service provider for application managed services, managed hosting, cloud services, off-site storage, or web services your policy framework must still extend to those functions.
Ordinarily you review the vendor’s controls through the contract provisions and a customer service manual before purchasing the services to ensure their controls are sufficiently equivalent in their design to your policies, standards and procedures. You may also rely on a SSAE 16 (formerly SAS 70) audit reports for additional insight into the design of their controls and operational effectiveness.
The mistake many customers make is accepting the SSAE 16 audit report at face value without ever comparing the vendors’ policies, standards and procedures to their internal policy framework. This is how an organization can find itself vulnerable to a vendor whose controls are weaker than what is required.
IT Policy Framework
Having defined the enterprise policy framework, now you must define the specific IT policy framework for the specific policy requirements. I prefer to look to the ISACA IT Policy Framework because nearly every IT policy framework has to support IT controls for financial audits and compliance.
The ISACA IT Policy Framework outlines 8 key policy areas and the specific policy elements within each of those areas. You may also find that your external auditor can provide you with a similar IT policy framework tailored to your industry and their audit requirements.
IT Policy Template
You should adopt a standardized IT policy template which contains the essential policy elements for your organization and policy objectives. I have provided a good IT policy template in the products that includes explanations for how to use each policy element.
The idea is that you create and publish a specific IT policy template to be used as a boilerplate for all IT policies at the enterprise and departmental levels. You might also do the same to create a boilerplate for IT standards and procedures.
Alternatively, you may find that creating a single IT Operations Manual has more advantages. You can also find an IT Operations Manual Template here which includes detailed instructions and suggestions for developing a comprehensive set of standard operating procedures and documenting your IT controls.
This can be particularly useful for decentralized and federated IT organizations and any IT service provider who needs to provide their customers with some form of a customer service manual.