Post on 01-Jan-2016
IT P
OLICIE
S
MI S
52
02
– I
T G
OV
ER
NA
NC
E
Britt Bouknight Caitlyn CarneyXiaoyue JiuAbey P JohnDavid Lanter Leonardo Serrano
PRESENTATION AGENDA:• Determining Whether Policies & Procedures are Needed
• Process for Developing Policies & Procedures
• Components of A Good Policy
• Keep it Simple Philosophy
• Target Audience Considerations
• Implementation Tips
• Enforcement
• COBIT relationship
PRESENTATION AGENDA:• Determining Whether Policies & Procedures are Needed
• Process for Developing Policies & Procedures
• Components of A Good Policy
• Keep it Simple Philosophy
• Target Audience Considerations
• Implementation Tips
• Enforcement
• COBIT relationship
QUESTION
Which of the following companies could benefit from developing a formal policy?
A. A small company with limited risk exposureB. A medium company with well-established & effective
processesC. A small company struggling to implement a new
process/behaviorD. A large company with significant risk exposure
ARE POLICIES & PROCEDURES NECESSARY?• Majority of companies don’t have formal policies and
procedures
• Depends on the risk of not having them
• Depends on size of company
• Takes time and money to develop & implement policies
• Three Compelling Reasons to Develop Formal Policies:
• 1. Eliminate or minimize risk
• 2. Establish a desired behavior or process
• 3. Educate employees
• Policies vs. Procedures • Policies – used to establish what it is you want• Procedures – used to give employees the “how to” of adhering to policies
• Example:• A programming change policy states the requirement you put in
place to manage programming requests.• The procedures in the policy provide specific steps to follow and
forms to use.
• Procedures may not be included in some policies (Ex. Vacation Policy)
ARE POLICIES & PROCEDURES NECESSARY?
• Taking a Practical Approach:
• Liability & Risk Exposure• Litigious society
• Bigger the company, bigger the exposure
• Formal policies & procedures = protection
• Potential Benefits• Reduce risk/protect assets
• Boost employee productivity
• Improve relationships between departments
• Boost morale
• Educate employees
• Change culture
ARE POLICIES & PROCEDURES NECESSARY?
OBJECTIVES OF POLICIES & PROCEDURES• Every policy should have clear set of objectives.
• Customized• Specific
• Should be included in the “Objectives” section.• Example: “Improve the quality of software change releases by
80%”• Must have sufficient data • Goal must be achievable
So you have established the need for a formal policy in your organization, what comes next?
A QUICK PROCESS FOR DEVELOPING POLICIES AND PROCEDURES
Eight steps to develop policies and procedures:
• Step 1- List areas of risk
• Step 2- List desired behavior or processes you want
• Step 3- Assign a relative important factor
• Step 4- Define the list of policies and procedures you need
• Step 5- Prioritize your list of policies and procedures
• Step 6- Determine how you will develop your policies and procedures
• Step 7- Develop and implement your policies and procedures
• Step 8- Monitor and enforce your guidelines
QUESTION
An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that?
A. This lack of knowledge may lead to unintentional disclosure of sensitive information.
B. Information security is not important to all functions.C. The IS auditor should provide security training to all
employees. D. The audit finding will cause management to provide
continuous training to staff.
COMPONENTS OF A GOOD POLICY • Rule: “If I can’t understand it, I won’t follow it.”
• Recommendation: • Keep same content format structure• Use different color schemes for the different organizations
COMPONENTS OF A GOOD POLICY
• Present consistently: easy recognition
• Use creative ideas: reflect culture
• Example:• A. Company logo • B. Banner color & department name • C. Policy ID reference• D. Policy name• E. Objective • F Applies to• G. Key guidelines • H. Samples• I. Questions?• J. Last Revision Date
PRESENTATION AGENDA:Determining Whether Policies & Procedures are Needed
Process for Developing Policies & Procedures
Components of A Good Policy
• Keep it Simple Philosophy
• Target Audience Considerations
• Implementation Tips
• Enforcement
• COBIT relationship
Two important things to remember when developing a policy
1. Do not require everything! As long as you address critical issues it will be effective.
2. Do not try to include every possible aspect of detail
KEEP IT SIMPLE
Some aspects of writing to consider when writing a policy:
• Easy to read format, neat and organized.• Use bullet points• “Net” style – short and simple statements.• Ensure there is a logical flow.• Walk through and test your procedure.
KEEP IT SIMPLE
KNOW YOUR TARGET AUDIENCE
Identify your target audience.• Those who are affected by this policy.
Next, what’s the best way to develop the policy for this target audience?• Tailor the policy to your target audience
KNOW YOUR TARGET AUDIENCEThings to consider when developing policy :
• What does this group react well to?
• What types of things are important for this group?
• Is there a good way to structure the policy so that helps the group?
• What will this group need relative to this particular policy?
• Are there implementation strategies that will help this group to incorporate the policies?
QUESTION
What is one thing to keep in mind especially when developing policies for the first time in a given area?
A. Try to include every possible aspect of detail in the policyB. Strive to hit all the critical issues that address 80% of
possible issues you might encounterC. Use bullet pointsD. Walk through your procedures and test them.
PRESENTATION AGENDA:Determining Whether Policies & Procedures are Needed
Process for Developing Policies & Procedures
Components of A Good Policy
Keep it Simple Philosophy
Target Audience Considerations
• Implementation Tips
• Enforcement
• COBIT relationship
IMPLEMENTATION TIPS
• Do Your Homework
• Be Consistent
• Be “Net” When Writing the Introduction
• Format Matters
IMPLEMENTATION TIPS
• Do Your Homework• Research the topic you plan to write a policy for
• Be Consistent• Develop all policies consistently • Implement all policies consistently
• Be “Net” When Writing the Introduction • Write in short, tight statements • Focus on “readability”
• Format Matters • Helps to identify a policy• Creates familiarity • Creates consistency• Creates a simple outline for easy reading
IMPLEMENTATION TIPS • Communication Methods
• Have a communication plan for IT policy communications: • Purpose:
• Help create a consistent action within the organization • Provide a framework for daily decision making • Provide clear understanding of what employees must do
• Communicator: Announce new policies from the highest management level deemed appropriate
• Stakeholders: • The IT Personnel who will be impacted • The IT Organization as a whole
IMPLEMENTATION TIPS • Communication Methods Continued
• Messages: Present the policy clearly. • When does it apply? • How will results be measured?
• Delivery Methods:• Company announcement Presentation (managers) • Company Memo • Email Notice
• Delivery Frequency:• IT policies can be time sensitive • IT policies should be reviewed frequently • It is recommended to build reviews into the process
Review policies often to ensure they are adhered to.
IMPLEMENTATION TIPS
• Communication Methods Continued• Feed Back:
• Solicit Feedback from stakeholders while developing policies• Include future leaders • Consider draft versions to gauge impact and gather reviews
• Measure Success:• Over time make sure to track what policies succeed • Utilize what you learn to created other successful policies
• Validate Before Announcing• Validate for content accuracy • Inspect for legal compliance and appropriateness• Collaborate to determine the best possible means for Implementation
“Everything you do either contributes to your professionalism or takes away from it. Approach the development and the implementation of policies and procedures so that you are sure to enhance your IT Organization’s image among company employees.”
- Mike Sisco
WHO SHOULD COMMUNICATE NEW POLICY?
Which is the best way to communicate a new IT Policy?
A. The CEO should call a meetingB. An email from the help deskC. Posting the policy in the break room D. The department managers should call a meeting
PRESENTATION AGENDA:Determining Whether Policies & Procedures are Needed
Process for Developing Policies & Procedures
Components of A Good Policy
Keep it Simple Philosophy
Target Audience Considerations
Implementation Tips
• Enforcement
• COBIT relationship
ENFORCING YOUR POLICIES
1. Provide Training – Education and Training are good for encouraging employees to follow new policies. Minimize resistance by explaining what, why, and how.
2. Prompt action to non-compliance – Response to non-compliance should happen soon after discovery of an issue
3. Monitor – Find ways to monitor compliance as to not be overly noticeable to employees
CURRENT TEMPLE POLICY
Department Name
Policy Name
Policy ID Reference
Objectives
Applies to
Last Revision Date
Key Guidelines
PRESENTATION AGENDA:Determining Whether Policies & Procedures are Needed
Process for Developing Policies & Procedures
Components of A Good Policy
Keep it Simple Philosophy
Target Audience Considerations
Implementation Tips
Enforcement
• COBIT relationship
COBIT 5 - IT GOVERNANCE AND MANAGEMENT FRAMEWORK
Built Around 5 Key Principles1. Meeting stakeholder needs
2. Covering the enterprise End-to-End
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance and management
CISA Review Manual 2013: 1.5.2 COBIT pp. 46-47
…enables effective governance and management to optimize information and technology investment and use and benefit the organization’s stakeholders
IT Policies enable governance and management…
COBIT 5 - IT GOVERNANCE AND MANAGEMENT
FRAMEWORK
Built Around 5 Key Principles1. Meeting stakeholder needs
De Haes, S., et al. (2013) “Understanding the Core Concepts in COBIT 5”, ISACA Journal, Vol 5.
“To verify whether stakeholder needs are indeed being met, …developers of COBIT 5 have built on the balance scorecard concepts.”
The figure illustrates enterprise goals grouped in a balanced scorecard perspectives
COBIT 5 - IT GOVERNANCE AND MANAGEMENT
FRAMEWORK
Built Around 5 Key Principles1. Meeting stakeholder needs
2. Governing the Enterprise End to End – IT Savvy
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
De Haes, S., et al. (2013) “Understanding the Core Concepts in COBIT 5”, ISACA Journal, Vol 5.
COBIT 5 recognizes governance and management of Enterprise IT (GEIT) needs a holistic approach: i.e. organization system of enablers, to get people to work together to carry out the business
CISA Review Manual 2013: 1.5.2 COBIT pp. 46-47
IT Policies enable governance and management…
IS CONTROL OBJECTIVES
Are high-level requirements for effectively controlling each IT process that…
1. State the purpose for implementing each IS process control2. Are designed to provide reasonable assurance business’ objectives will be
achieved, and undesired events will be prevented, detected, and corrected
3. Consist of policies, procedures, practices, and organizational structures
IT Policies state control objectives…
CISA Review Manual 2013: 1.5.1 COBIT pp. 45
Enterprise managers need to:
• Select which policies are relevant• Decide which ones to implement• Choose how to implement them• Accept risk of not implementing those that are relevant
INTERNAL CONTROLS
Internal controls are implemented to reduce risks to the organization!
• Composed of: • Policies• Procedures• Practices• Organizational structures
Control classification1. Preventive2. Detective3. Corrective
Another control classification
1. Manual2. Automated3. Hybrid (i.e.
combination)
CISA Review Manual 2013: 1.5 COBIT pp. 45
IT Policies are which kind of internal control in the classifications above ?
GENERAL CONTROLS
Include policies, procedures, and practices established by management to provide reasonable assurance that specific objectives will be achieved
Apply to all areas of the organization, including IT infrastructure and support services, including
• Policies and procedures for secure and proper use of assets
• Policies for the design and use of documents and proper recording of Internal accounting controls and financial records
• Policies for the security of facilities, data centers and IT resources
• Administrative controls to assure efficiency and adherence to policies• transactions• Operational controls to meet business objectives• Procedures and practices for safeguarding assets and facilities
CISA Review Manual 2013: 1.5.3 General Controls pp. 47
PRESENTATION AGENDA:Determining Whether Policies & Procedures are Needed
Process for Developing Policies & Procedures
Components of A Good Policy
Keep it Simple Philosophy
Target Audience Considerations
Implementation Tips
Enforcement
COBIT relationship
IS CONTROLS
Each general control can be translated into an IS-specific control
CISA Review Manual 2013: 1.5.4 IS Controls pp. 47
“Security polices and procedures constitute the main part of any organization’s security. These steps are essential for implementing IT security management:
• Authorizing security roles and responsibilities to various security personnel• Setting rules for expected behavior from users and security role players• Setting rules for business continuity plans…
…the universal list is virtually endless and each organization’s list will… be based on several factors…”
Bhasker, R. and Kapoor B. (2009) Information Technology Security Management, Computer and Information Security Handbook, p. 261
What factors will an organization’s list of IS security policies be based on?
IT P
OLICIE
S
MI S
52
02
– I
T G
OV
ER
NA
NC
E
Britt Bouknight Caitlyn CarneyXiaoyue JiuAbey P JohnDavid Lanter Leonardo Serrano