The Importance of Policy Management

With the business world in a constant state of change, many IT managers find themselves struggling to keep up with policy management. More often than not, policies are created, but not properly implemented resulting in employee non-compliance that eventually it will affect the business as a whole. In terms of Risk Management, maintaining effective policies within an organization can protect against liability. Many organizations use old methods, such as costly intranets, to post policies, which get lost and are never really understood―deeming them ineffective.

Policies are necessary for the protection of the organization as well as the employees. It is imperative that policies are created, communicated, managed, updated and enforced (when necessary) throughout the enterprise. Every organization needs to be extremely diligent on its policies as it ensures and protects intellectual property, valuable data and helps to identify legal compliance for all related federal, state, and local statutes.

Policies and procedures provide a set of company rules and regulations as well as consequences for non-compliance. When not enforced, policies offer little defense against legal action. A well-developed policy communicated by clear procedures and followed by strict enforcement can prevent conflict as well as create compliance with legal statutes, such as Sarbanes-Oxley, resulting in greatly reduced risks.

Control objectives for information and related technology (COBIT) standards, ISO standards and the laws, regulations and statutes that affect IT management have a major affect on the content of policies. By regularly reviewing company policies against new or updated laws, landmark court decisions and industry standards, IT managers can determine where the liabilities are and alter corporate policies and procedures to ensure compliance.

Two Critical Groups

There are two key groups needed for policy management: an internal task force and your employees.

Life & Times of the Task Force - The task force is a group within the organization comprised of key executives from each group, division or business practices that will govern policies. This group will create, manage and enforce policies as well as establish all procedures. This group should meet approximately once a month (even if it’s just a working lunch) to ensure policy compliance.

Even before policies are created, the first step is an assessment or a business gap analysis to determine vulnerabilities within the organizations as well as to create efficiencies among the various divisions. After the initial policies and procedures are created, they are often forgotten about until some monumental regulatory change. The ongoing maintenance and care of policies and procedures doesn’t have to be a time consuming exercise if there is a scheduled meeting of the task force on a monthly or bi-monthly basis.

Setting up the standard ITIL-based, ITSM policy can be one of the most daunting tasks. There are a number of set criteria that the task force should look at:

• Service request policy
• Help desk policy, standards and procedures
• Help desk service level agreement
• Change control standard, quality assurance and management guidelines
• Documentation standards
• Application version control standards
• Electronic communication policy including Internet, email, instant messaging and other means of e-communications
• Blog, personal websites and social media policy
• Remote or mobile standards and procedures.

The policy task force is responsible for the creation of policies, its standards, the procedures, enforcements and the metrics associated.

Employee Communications - The second target group is your employees. It’s critical to generate awareness before any new service is implemented or upgraded through a series of verbal and written communications, followed by a series of educational workshops and intense training before the actual rollout. Internal communication is a critical factor in policy management. If employees don’t understand the process, the policy or don’t follow the new prescribed procedures, policies become ineffective. In the case of policy, the old adage “If you build them, they will come,” does not apply.