IT Policies

IT Policies MIS 5202 – IT Governance Britt Bouknight Caitlyn Carney XiaoyueJiu Abey P John David Lanter Leonardo Serrano

Presentation Agenda: • Determining Whether Policies & Procedures are Needed • Process for Developing Policies & Procedures • Components of A Good Policy • Keep it Simple Philosophy • Target Audience Considerations • Implementation Tips • Enforcement • COBIT relationship

Question • Which of the following companies could benefit from developing a formal policy? • A small company with limited risk exposure • A medium company with well-established & effective processes • A small company struggling to implement a new process/behavior • A large company with significant risk exposure

Are policies & procedures necessary? • Majority of companies don’t have formal policies and procedures • Depends on the risk of not having them • Depends on size of company • Takes time and money to develop & implement policies • Three Compelling Reasons to Develop Formal Policies: • 1. Eliminate or minimize risk • 2. Establish a desired behavior or process • 3. Educate employees

Are policies & procedures necessary? • Policies vs. Procedures • Policies – used to establish what it is you want • Procedures – used to give employees the “how to” of adhering to policies • Example: • A programming change policy states the requirement you put in place to manage programming requests. • The procedures in the policy provide specific steps to follow and forms to use. • Procedures may not be included in some policies (Ex. Vacation Policy)

Are policies & procedures necessary? • Taking a Practical Approach: • Liability & Risk Exposure • Litigious society • Bigger the company, bigger the exposure • Formal policies & procedures = protection • Potential Benefits • Reduce risk/protect assets • Boost employee productivity • Improve relationships between departments • Boost morale • Educate employees • Change culture

Objectives of Policies & procedures • Every policy should have clear set of objectives. • Customized • Specific • Should be included in the “Objectives” section. • Example: “Improve the quality of software change releases by 80%” • Must have sufficient data • Goal must be achievable So you have established the need for a formal policy in your organization, what comes next?

A Quick Process for Developing Policies and Procedures • Eight steps to develop policies and procedures: • Step 1- List areas of risk • Step 2- List desired behavior or processes you want • Step 3- Assign a relative important factor • Step 4- Define the list of policies and procedures you need • Step 5- Prioritize your list of policies and procedures • Step 6- Determine how you will develop your policies and procedures • Step 7- Develop and implement your policies and procedures • Step 8- Monitor and enforce your guidelines

Question • An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that? • This lack of knowledge may lead to unintentional disclosure of sensitive information. • Information security is not important to all functions. • The IS auditor should provide security training to all employees. • The audit finding will cause management to provide continuous training to staff.

Components of A Good Policy • Rule: “If Ican’t understand it, I won’t follow it.” • Recommendation: • Keep same content format structure • Use different color schemes for the different organizations

Components of A Good Policy • Present consistently: easy recognition • Use creative ideas: reflect culture • Example: • A. Company logo • B. Banner color & department name • C. Policy ID reference • D. Policy name • E. Objective • F Applies to • G. Key guidelines • H. Samples • I. Questions? • J. Last Revision Date

Keep it simple • Two important things to remember when developing a policy • Do not require everything! As long as you address critical issues it will be effective. • Do not try to include every possible aspect of detail

Keep it simple • Easy to read format, neat and organized. • Use bullet points • “Net” style – short and simple statements. • Ensure there is a logical flow. • Walk through and test your procedure. • Some aspects of writing to consider when writing a policy:

Know your target audience • Identify your target audience. • Those who are affected by this policy. • Next, what’s the best way to develop the policy for this target audience? • Tailor the policy to your target audience

Know your target audience • Things to consider when developing policy : • What does this group react well to? • What types of things are important for this group? • Is there a good way to structure the policy so that helps the group? • What will this group need relative to this particular policy? • Are there implementation strategies that will help this group to incorporate the policies?

Question • What is one thing to keep in mind especially when developing policies for the first time in a given area? • Try to include every possible aspect of detail in the policy • Strive to hit all the critical issues that address 80% of possible issues you might encounter • Use bullet points • Walk through your procedures and test them.

Implementation Tips • Do Your Homework • Be Consistent • Be “Net” When Writing the Introduction • Format Matters

Implementation Tips • Do Your Homework • Research the topic you plan to write a policy for • Be Consistent • Develop all policies consistently • Implement all policies consistently • Be “Net” When Writing the Introduction • Write in short, tight statements • Focus on “readability” • Format Matters • Helps to identify a policy • Creates familiarity • Creates consistency • Creates a simple outline for easy reading

Implementation Tips • Communication Methods • Have a communication plan for IT policy communications: • Purpose: • Help create a consistent action within the organization • Provide a framework for daily decision making • Provide clear understanding of what employees must do • Communicator: Announce new policies from the highest management level deemed appropriate • Stakeholders: • The IT Personnel who will be impacted • The IT Organization as a whole

Implementation tips • Communication Methods Continued • Messages: Present the policy clearly. • When does it apply? • How will results be measured? • Delivery Methods: • Company announcement Presentation (managers) • Company Memo • Email Notice • Delivery Frequency: • IT policies can be time sensitive • IT policies should be reviewed frequently • It is recommended to build reviews into the process Review policies often to ensure they are adhered to.

Implementation tips • Communication Methods Continued • Feed Back: • Solicit Feedback from stakeholders while developing policies • Include future leaders • Consider draft versions to gauge impact and gather reviews • Measure Success: • Over time make sure to track what policies succeed • Utilize what you learn to created other successful policies • Validate Before Announcing • Validate for content accuracy • Inspect for legal compliance and appropriateness • Collaborate to determine the best possible means for Implementation “Everything you do either contributes to your professionalism or takes away from it. Approach the development and the implementation of policies and procedures so that you are sure to enhance your IT Organization’s image among company employees.” - Mike Sisco

Who should communicate new policy? • Which is the best way to communicate a new IT Policy? • The CEO should call a meeting • An email from the help desk • Posting the policy in the break room • The department managers should call a meeting

Enforcing your policies • Provide Training – Education and Training are good for encouraging employees to follow new policies. Minimize resistance by explaining what, why, and how. • Prompt action to non-compliance – Response to non-compliance should happen soon after discovery of an issue • Monitor – Find ways to monitor compliance as to not be overly noticeable to employees

Current Temple Policy Department Name Policy Name Policy ID Reference Last Revision Date Objectives Key Guidelines Applies to

COBIT 5 - IT Governance and management Framework • Built Around 5 Key Principles • Meeting stakeholder needs • Covering the enterprise End-to-End • Applying a single integrated framework • Enabling a holistic approach • Separating governance and management …enables effective governance and management to optimize information and technology investment and use and benefit the organization’s stakeholders IT Policies enable governance and management… CISA Review Manual 2013: 1.5.2 COBIT pp. 46-47

COBIT 5 - IT Governance and management Framework • Built Around 5 Key Principles • Meeting stakeholder needs “To verify whether stakeholder needs are indeed being met, …developers of COBIT 5 have built on the balance scorecard concepts.” The figure illustrates enterprise goals grouped in a balanced scorecard perspectives De Haes, S., et al. (2013) “Understanding the Core Concepts in COBIT 5”, ISACA Journal, Vol 5.

COBIT 5 - IT Governance and management Framework • Built Around 5 Key Principles • Meeting stakeholder needs • Governing the Enterprise End to End – IT Savvy • Applying a Single Integrated Framework • Enabling a Holistic Approach • Separating Governance from Management COBIT 5 recognizes governance and management of Enterprise IT (GEIT) needs a holistic approach: i.e. organization system of enablers, to get people to work together to carry out the business IT Policies enable governance and management… De Haes, S., et al. (2013) “Understanding the Core Concepts in COBIT 5”, ISACA Journal, Vol 5. CISA Review Manual 2013: 1.5.2 COBIT pp. 46-47

IS Control Objectives • Are high-level requirements for effectively controlling each IT process that… • State the purpose for implementing each IS process control • Are designed to provide reasonable assurance business’ objectives will be achieved, and undesired events will be prevented, detected, and corrected • Consist of policies, procedures, practices, and organizational structures Enterprise managers need to: • Select which policiesare relevant • Decide which ones to implement • Choose how to implement them • Accept risk of not implementing those that are relevant IT Policies state control objectives… CISA Review Manual 2013: 1.5.1 COBIT pp. 45

Internal Controls • Internal controls are implemented to reduce risks to the organization! • Composed of: • Policies • Procedures • Practices • Organizational structures • Control classification • Preventive • Detective • Corrective • Another control classification • Manual • Automated • Hybrid (i.e. combination) IT Policies are which kind of internal control in the classifications above ? CISA Review Manual 2013: 1.5 COBIT pp. 45

General Controls • Include policies, procedures, and practices established by management to provide reasonable assurance that specific objectives will be achieved • Apply to all areas of the organization, including IT infrastructure and support services, including • Policies and procedures for secure and proper use of assets • Policies for the design and use of documents and proper recording of Internal accounting controls and financial records • Policies for the security of facilities, data centers and IT resources • Administrative controls to assure efficiency and adherence to policies • transactions • Operational controls to meet business objectives • Procedures and practices for safeguarding assets and facilities CISA Review Manual 2013: 1.5.3 General Controls pp. 47

IS Controls • Each general control can be translated into an IS-specific control • CISA Review Manual 2013: 1.5.4 IS Controls pp. 47 • “Security polices and procedures constitute the main part of any organization’s security. These steps are essential for implementing IT security management: • Authorizing security roles and responsibilities to various security personnel • Setting rules for expected behavior from users and security role players • Setting rules for business continuity plans… …the universal list is virtually endless and each organization’s list will… be based on several factors…” Bhasker, R. and Kapoor B. (2009) Information Technology Security Management, Computer and Information Security Handbook, p. 261 What factors will an organization’s list of IS security policies be based on?

IT Policies MIS 5202 – IT Governance Britt Bouknight Caitlyn Carney XiaoyueJiu Abey P John David Lanter Leonardo Serrano

IT Policies

IT Policies

Presentation Transcript

Policies

New and Upcoming IT Security Policies at K-State

Financial Policies: Policy Development Reserve Policies Capital Asset Management Policies

Marijuana Policies Should we legalize it?

Policies

Iran: a review through policies . . . Do you get it?

Policies

Campus Policies

Policies

Effect of Corporate IT Policies on Otherwise Privileged Communication

IT Policies & Procedures Week 7

IT Security Policies at K-State

Ensuring IT Security: Policies, Training &Technology

National IT Policies and IT Transfer: The Case of Egypt & Future Work

Security Policies

Policies

IT 244 Week 1 Information Security Security Policies

Security Policies

Policies

IT Policies

IT Policies

Presentation Transcript

Policies

New and Upcoming IT Security Policies at K-State

Financial Policies: Policy Development Reserve Policies Capital Asset Management Policies

Marijuana Policies Should we legalize it?

Policies

Iran: a review through policies . . . Do you get it?

Policies

Campus Policies

Policies

Effect of Corporate IT Policies on Otherwise Privileged Communication

IT Policies &amp; Procedures Week 7

IT Security Policies at K-State

Ensuring IT Security: Policies, Training &amp;Technology

National IT Policies and IT Transfer: The Case of Egypt &amp; Future Work

Security Policies

Policies

IT 244 Week 1 Information Security Security Policies

Security Policies

Policies

IT Policies & Procedures Week 7

Ensuring IT Security: Policies, Training &Technology

National IT Policies and IT Transfer: The Case of Egypt & Future Work