Standards for Designing Policy

Designing policy, procedures and standards is a process that many

organizations have undertaken for many parts of the business. For
Information

Technology,

the

goal

is

to

implement

policy

infrastructure that allows managing risk appropriately, yet meeting

business needs.
First, policy must define the why, what, who, where.
Why is the policy important? The first step is to understand
why policy is being developed. Business requirements, external
compliance, industry compliance or third party requirements,
e.g. Service Level Agreements (SLAs) are examples of common
drivers for policy implementation.
What are the requirements? - Policy and standards must be
actionable. Policy sets the general direction; standards define
specific actions and responsibilities. The two must work in
concert to provide employees with the appropriate information
to impact their jobs.
Who needs to know, execute and own the policy? Four hundred
pages of policies and standards will not impact an employee
unless dropped on their foot. Policy, standards and procedures
must be specified as applicable to certain audiences for clear
communication.
Where do the standards apply? - Policy has to be applied to
multiple areas of the business. Identifying where certain
requirements apply, while a significant task, is a must for a
cost effective, business impact approach.

 How will the standards be applied to business? The policy

should be implemented in language relevant to the executors.
Procedures, via control content, must be developed to build
consistency across the enterprise.
Secondly, policy must be matured over a period of time with a clear
strategic course. Policy can quickly become an administrative
burden or an ignored dogma without a true sense of the strategic
value of policy. Within departments, policy is absolutely critical in
setting strategic objectives but even more important in building a
culture focused on controlled, business oriented services. Disaster
Recovery (DR) is a clear example of how a well-built policy adds
strategic value. For a comprehensive approach to DR, many facets
of the business must be aligned and policy will form the backbone of
that alignment. Along with many other facets of the business, DR
requires:
Asset classification and inventory must be defined and
implemented.
Business units must have an understanding of critical business
applications and processes.
Department tasks and infrastructure must be enabled with
"DR" sensitive controls - backup and recovery, redundant
systems, offsite storage/systems, etc.
Each of these functions needs to a manifestation of policy and
standards

(outlining

requirements)

and

procedures

(impacting

business processes). The point is that the ability to respond and

recover from a disaster - a highly strategic business objective - has

its

fundamental

infrastructure.

success

tied

to

comprehensive

policy