IT POLICIES MIS 5202 – IT GOVERNANCE Britt Bouknight Caitlyn Carney Xiaoyue Jiu Abey P John David...

IT P

OLICIE

S

MI S

52

02

– I

T G

OV

ER

NA

NC

E

Britt Bouknight Caitlyn CarneyXiaoyue JiuAbey P JohnDavid Lanter Leonardo Serrano

PRESENTATION AGENDA:• Determining Whether Policies & Procedures are Needed

• Process for Developing Policies & Procedures

• Components of A Good Policy

• Keep it Simple Philosophy

• Target Audience Considerations

• Implementation Tips

• Enforcement

• COBIT relationship

QUESTION

Which of the following companies could benefit from developing a formal policy?

A. A small company with limited risk exposureB. A medium company with well-established & effective

processesC. A small company struggling to implement a new

process/behaviorD. A large company with significant risk exposure

ARE POLICIES & PROCEDURES NECESSARY?• Majority of companies don’t have formal policies and

procedures

• Depends on the risk of not having them

• Depends on size of company

• Takes time and money to develop & implement policies

• Three Compelling Reasons to Develop Formal Policies:

• 1. Eliminate or minimize risk

• 2. Establish a desired behavior or process

• 3. Educate employees

• Policies vs. Procedures • Policies – used to establish what it is you want• Procedures – used to give employees the “how to” of adhering to policies

• Example:• A programming change policy states the requirement you put in

place to manage programming requests.• The procedures in the policy provide specific steps to follow and

forms to use.

• Procedures may not be included in some policies (Ex. Vacation Policy)

ARE POLICIES & PROCEDURES NECESSARY?

• Taking a Practical Approach:

• Liability & Risk Exposure• Litigious society

• Bigger the company, bigger the exposure

• Formal policies & procedures = protection

• Potential Benefits• Reduce risk/protect assets

• Boost employee productivity

• Improve relationships between departments

• Boost morale

• Educate employees

• Change culture

ARE POLICIES & PROCEDURES NECESSARY?

OBJECTIVES OF POLICIES & PROCEDURES• Every policy should have clear set of objectives.

• Customized• Specific

• Should be included in the “Objectives” section.• Example: “Improve the quality of software change releases by

80%”• Must have sufficient data • Goal must be achievable

So you have established the need for a formal policy in your organization, what comes next?

A QUICK PROCESS FOR DEVELOPING POLICIES AND PROCEDURES

Eight steps to develop policies and procedures:

• Step 1- List areas of risk

• Step 2- List desired behavior or processes you want

• Step 3- Assign a relative important factor

• Step 4- Define the list of policies and procedures you need

• Step 5- Prioritize your list of policies and procedures

• Step 6- Determine how you will develop your policies and procedures

• Step 7- Develop and implement your policies and procedures

• Step 8- Monitor and enforce your guidelines

QUESTION

An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that?

A. This lack of knowledge may lead to unintentional disclosure of sensitive information.

B. Information security is not important to all functions.C. The IS auditor should provide security training to all

employees. D. The audit finding will cause management to provide

continuous training to staff.

COMPONENTS OF A GOOD POLICY • Rule: “If I can’t understand it, I won’t follow it.”

• Recommendation: • Keep same content format structure• Use different color schemes for the different organizations

COMPONENTS OF A GOOD POLICY

• Present consistently: easy recognition

• Use creative ideas: reflect culture

• Example:• A. Company logo • B. Banner color & department name • C. Policy ID reference• D. Policy name• E. Objective • F Applies to• G. Key guidelines • H. Samples• I. Questions?• J. Last Revision Date

PRESENTATION AGENDA:Determining Whether Policies & Procedures are Needed

Process for Developing Policies & Procedures

Components of A Good Policy

• Keep it Simple Philosophy

• Target Audience Considerations


• Enforcement


Two important things to remember when developing a policy

1. Do not require everything! As long as you address critical issues it will be effective.

2. Do not try to include every possible aspect of detail

KEEP IT SIMPLE

Some aspects of writing to consider when writing a policy:

• Easy to read format, neat and organized.• Use bullet points• “Net” style – short and simple statements.• Ensure there is a logical flow.• Walk through and test your procedure.

KEEP IT SIMPLE

KNOW YOUR TARGET AUDIENCE

Identify your target audience.• Those who are affected by this policy.

Next, what’s the best way to develop the policy for this target audience?• Tailor the policy to your target audience

KNOW YOUR TARGET AUDIENCEThings to consider when developing policy :

• What does this group react well to?

• What types of things are important for this group?

• Is there a good way to structure the policy so that helps the group?

• What will this group need relative to this particular policy?

• Are there implementation strategies that will help this group to incorporate the policies?

QUESTION

What is one thing to keep in mind especially when developing policies for the first time in a given area?

A. Try to include every possible aspect of detail in the policyB. Strive to hit all the critical issues that address 80% of

possible issues you might encounterC. Use bullet pointsD. Walk through your procedures and test them.




Keep it Simple Philosophy

Target Audience Considerations


• Enforcement


IMPLEMENTATION TIPS

• Do Your Homework

• Be Consistent

• Be “Net” When Writing the Introduction

• Format Matters

IMPLEMENTATION TIPS

• Do Your Homework• Research the topic you plan to write a policy for

• Be Consistent• Develop all policies consistently • Implement all policies consistently

• Be “Net” When Writing the Introduction • Write in short, tight statements • Focus on “readability”

• Format Matters • Helps to identify a policy• Creates familiarity • Creates consistency• Creates a simple outline for easy reading

IMPLEMENTATION TIPS • Communication Methods

• Have a communication plan for IT policy communications: • Purpose:

• Help create a consistent action within the organization • Provide a framework for daily decision making • Provide clear understanding of what employees must do

• Communicator: Announce new policies from the highest management level deemed appropriate

• Stakeholders: • The IT Personnel who will be impacted • The IT Organization as a whole

IMPLEMENTATION TIPS • Communication Methods Continued

• Messages: Present the policy clearly. • When does it apply? • How will results be measured?

• Delivery Methods:• Company announcement Presentation (managers) • Company Memo • Email Notice

• Delivery Frequency:• IT policies can be time sensitive • IT policies should be reviewed frequently • It is recommended to build reviews into the process

Review policies often to ensure they are adhered to.

IMPLEMENTATION TIPS

• Communication Methods Continued• Feed Back:

• Solicit Feedback from stakeholders while developing policies• Include future leaders • Consider draft versions to gauge impact and gather reviews

• Measure Success:• Over time make sure to track what policies succeed • Utilize what you learn to created other successful policies

• Validate Before Announcing• Validate for content accuracy • Inspect for legal compliance and appropriateness• Collaborate to determine the best possible means for Implementation

“Everything you do either contributes to your professionalism or takes away from it. Approach the development and the implementation of policies and procedures so that you are sure to enhance your IT Organization’s image among company employees.”

- Mike Sisco

WHO SHOULD COMMUNICATE NEW POLICY?

Which is the best way to communicate a new IT Policy?

A. The CEO should call a meetingB. An email from the help deskC. Posting the policy in the break room D. The department managers should call a meeting






Implementation Tips

• Enforcement


ENFORCING YOUR POLICIES

1. Provide Training – Education and Training are good for encouraging employees to follow new policies. Minimize resistance by explaining what, why, and how.

2. Prompt action to non-compliance – Response to non-compliance should happen soon after discovery of an issue

3. Monitor – Find ways to monitor compliance as to not be overly noticeable to employees

CURRENT TEMPLE POLICY

Department Name

Policy Name

Policy ID Reference

Objectives

Applies to

Last Revision Date

Key Guidelines






Implementation Tips

Enforcement


COBIT 5 - IT GOVERNANCE AND MANAGEMENT FRAMEWORK

Built Around 5 Key Principles1. Meeting stakeholder needs

2. Covering the enterprise End-to-End

3. Applying a single integrated framework

4. Enabling a holistic approach

5. Separating governance and management

CISA Review Manual 2013: 1.5.2 COBIT pp. 46-47

…enables effective governance and management to optimize information and technology investment and use and benefit the organization’s stakeholders

IT Policies enable governance and management…

COBIT 5 - IT GOVERNANCE AND MANAGEMENT

FRAMEWORK


De Haes, S., et al. (2013) “Understanding the Core Concepts in COBIT 5”, ISACA Journal, Vol 5.

“To verify whether stakeholder needs are indeed being met, …developers of COBIT 5 have built on the balance scorecard concepts.”

The figure illustrates enterprise goals grouped in a balanced scorecard perspectives

COBIT 5 - IT GOVERNANCE AND MANAGEMENT

FRAMEWORK


2. Governing the Enterprise End to End – IT Savvy

3. Applying a Single Integrated Framework

4. Enabling a Holistic Approach

5. Separating Governance from Management

De Haes, S., et al. (2013) “Understanding the Core Concepts in COBIT 5”, ISACA Journal, Vol 5.

COBIT 5 recognizes governance and management of Enterprise IT (GEIT) needs a holistic approach: i.e. organization system of enablers, to get people to work together to carry out the business

CISA Review Manual 2013: 1.5.2 COBIT pp. 46-47

IT Policies enable governance and management…

IS CONTROL OBJECTIVES

Are high-level requirements for effectively controlling each IT process that…

1. State the purpose for implementing each IS process control2. Are designed to provide reasonable assurance business’ objectives will be

achieved, and undesired events will be prevented, detected, and corrected

3. Consist of policies, procedures, practices, and organizational structures

IT Policies state control objectives…

CISA Review Manual 2013: 1.5.1 COBIT pp. 45

Enterprise managers need to:

• Select which policies are relevant• Decide which ones to implement• Choose how to implement them• Accept risk of not implementing those that are relevant

INTERNAL CONTROLS

Internal controls are implemented to reduce risks to the organization!

• Composed of: • Policies• Procedures• Practices• Organizational structures

Control classification1. Preventive2. Detective3. Corrective

Another control classification

1. Manual2. Automated3. Hybrid (i.e.

combination)

CISA Review Manual 2013: 1.5 COBIT pp. 45

IT Policies are which kind of internal control in the classifications above ?

GENERAL CONTROLS

Include policies, procedures, and practices established by management to provide reasonable assurance that specific objectives will be achieved

Apply to all areas of the organization, including IT infrastructure and support services, including

• Policies and procedures for secure and proper use of assets

• Policies for the design and use of documents and proper recording of Internal accounting controls and financial records

• Policies for the security of facilities, data centers and IT resources

• Administrative controls to assure efficiency and adherence to policies• transactions• Operational controls to meet business objectives• Procedures and practices for safeguarding assets and facilities

CISA Review Manual 2013: 1.5.3 General Controls pp. 47






Implementation Tips

Enforcement

COBIT relationship

IS CONTROLS

Each general control can be translated into an IS-specific control

CISA Review Manual 2013: 1.5.4 IS Controls pp. 47

“Security polices and procedures constitute the main part of any organization’s security. These steps are essential for implementing IT security management:

• Authorizing security roles and responsibilities to various security personnel• Setting rules for expected behavior from users and security role players• Setting rules for business continuity plans…

…the universal list is virtually endless and each organization’s list will… be based on several factors…”

Bhasker, R. and Kapoor B. (2009) Information Technology Security Management, Computer and Information Security Handbook, p. 261

What factors will an organization’s list of IS security policies be based on?

IT P

OLICIE

S

MI S

52

02

– I

T G

OV

ER

NA

NC

E

Britt Bouknight Caitlyn CarneyXiaoyue JiuAbey P JohnDavid Lanter Leonardo Serrano

IT POLICIES MIS 5202 – IT GOVERNANCE Britt Bouknight Caitlyn Carney Xiaoyue Jiu Abey P John David...

Documents

Transcript of IT POLICIES MIS 5202 – IT GOVERNANCE Britt Bouknight Caitlyn Carney Xiaoyue Jiu Abey P John David...