In this article we address 3 questions - Why are IT Policies important? - Who should be involved in the development of IT Policies? - and - How do organisations manage their policies typically today?
Firstly a quick recap - in Part 1 of Recognising the value of IT Policies we outlined how the first critical step to creating a secure digital environment involves developing policies and procedures. These document an organisation's intentions to diligently manage digital information throughout its life cycle and keep it safe from unauthorised persons. We then defined information security (see below), detailed why IT Policies are required and outlined “what they do”.
Information security can be defined by three things:
- Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes
- Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes
- Availability - information must be accessible and useable on demand by authorised entities
Why are IT Policies important?
- Organisations are beginning to understand the importance and power that information, communications and technology bring to their business.
- This may be in support of the fundamental activities of the business (financial systems, logistics, inventory, CRM etc), a customer service portal or – for the more advanced – extend to what is labelled the Internet of Things.
- It is important that these systems are used, operated and managed efficiently and effectively to ensure business continuity and to enable the organisation to meet legal, regulatory and statutory requirements.
- The organisation must define and communicate its expectations for the appropriate use of these systems so that they remain available for business purposes and their use does not bring the organisation into disrepute.
- With the proliferation of mobile devices and cloud service offerings, it is more important than ever for organisations to define what they want their IT environment to look like and how their information should be used. It’s not just “internal systems” anymore.
- Many of the problems around information leakage could have been avoided through appropriate use of information systems. Many outages could have been avoided if systems had been correctly configured and managed.
- Documented Policies and procedures take the guess work out of information security and enable an organisation to manage business risk through defined controls that provide a benchmark for audit and corrective action.
- Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use creating an environment in which system management is ad-hoc as well as inconsistent. Staff will be unaware whether they are acting within the organisation’s risk appetite or not.
- Security attacks against organisations are increasing both in number and sophistication and we must ensure our systems can be protected against these threats. The first step in achieving this is to document the rules and guidelines around system management, operation and use. By complying with these rules and guidelines organisations are doing everything they can to protect their systems and their people from a security threat.
- Effective information security policies protect the staff as much as the organisation.
Who should be involved in the development of IT Policies?
The CIO, IT Manager, Network Administrators and System Administrators should all be involved in the development of the Policies and Procedures. Input from Human Resource, Information Managers is recommended. We also recommend input from Risk and Legal staff if these roles exist within the organisation. Ultimately the Senior Executives and Management Team should sign off the policies.
How do organisations manage their policies typically today?
Many organisations have a basic Email and Internet or Acceptable Use Policy and do not comprehensively define their information and information systems management and use expectations. If they have policies they are usually a couple of word documents published somewhere on the organisation’s intranet. If policies have been developed they may be out of date, available in hardcopy only and not published in such a way that they are readily available to the wider user community. Policies may be handed out by Human Resources during staff induction but there is no reiteration of the policies on an ongoing basis, often no training on information security and typically no ongoing security awareness program. Finding someone to take full ownership of IT Policy in an organisation can be a challenge, making cultural change around IT Security elusive.
To view our new IT Policy System demonstration video Click Here