Designing policy, procedures and standards is a process that many
organizations have undertaken for many parts of the business. For Information
Technology,
the
goal
is
to
implement
policy
infrastructure that allows managing risk appropriately, yet meeting
business needs. First, policy must define the why, what, who, where. Why is the policy important? The first step is to understand why policy is being developed. Business requirements, external compliance, industry compliance or third party requirements, e.g. Service Level Agreements (SLAs) are examples of common drivers for policy implementation. What are the requirements? - Policy and standards must be actionable. Policy sets the general direction; standards define specific actions and responsibilities. The two must work in concert to provide employees with the appropriate information to impact their jobs. Who needs to know, execute and own the policy? Four hundred pages of policies and standards will not impact an employee unless dropped on their foot. Policy, standards and procedures must be specified as applicable to certain audiences for clear communication. Where do the standards apply? - Policy has to be applied to multiple areas of the business. Identifying where certain requirements apply, while a significant task, is a must for a cost effective, business impact approach.
How will the standards be applied to business? The policy
should be implemented in language relevant to the executors. Procedures, via control content, must be developed to build consistency across the enterprise. Secondly, policy must be matured over a period of time with a clear strategic course. Policy can quickly become an administrative burden or an ignored dogma without a true sense of the strategic value of policy. Within departments, policy is absolutely critical in setting strategic objectives but even more important in building a culture focused on controlled, business oriented services. Disaster Recovery (DR) is a clear example of how a well-built policy adds strategic value. For a comprehensive approach to DR, many facets of the business must be aligned and policy will form the backbone of that alignment. Along with many other facets of the business, DR requires: Asset classification and inventory must be defined and implemented. Business units must have an understanding of critical business applications and processes. Department tasks and infrastructure must be enabled with "DR" sensitive controls - backup and recovery, redundant systems, offsite storage/systems, etc. Each of these functions needs to a manifestation of policy and standards
(outlining
requirements)
and
procedures
(impacting
business processes). The point is that the ability to respond and
recover from a disaster - a highly strategic business objective - has