Protecting business interests with policies for it asset management it-toolkits

2/29/2016 Fundamentals of Data Security Policy in I.T. Management - IT-Toolkits.org

http://it-toolkits.org/blog/?p=56 1/6

Fundamentals of Data Security Policy in I.T.

Management - IT-Toolkits.org

We all know that I.T. stands for “information technology” and that’s no accident. In fact, it’s a

reflection of the primary mission of every I.T. organization – to provide the means and methods for

creating, storing, transmitting, printing and retrieving business related information. By design, this

operational mission is driven by the need to “protect”, which also includes preventing unauthorized

access, uncontrolled modification and unwarranted destruction. The priorities are self evident – data

integrity is vital, and vital needs must be met with purpose and committment. The tricky part is to

balance vital interests with the associated costs and operational overhead. This is the higher

purpose of data security and the goal of related policy development.

Data Security Practices and Policy Purpose

As discussed, “data security” provides the means by which business data and related information is

protected and preserved. This is realized in multiple ways, as listed below:

Data security technology and practices provide the means by which data can be safely created,

stored, transmitted, printed and retrieved.

Data security technology and practices provide the means by which data accuracy and integrity is

ensured and maintained.

Data security technology and practices provide the means to prevent and control unauthorized

access, modification and destruction.

Data security technology and practices provide the opportunity to minimize the risks and costs

associated with data loss, data corruption and unauthorized access.

Of course, the physical means of “securing data” are essential to the process. You must have the

technical ability (through hardware and software) to physically meet each of the above listed

objectives. But that will only take you part of the way. To realize all of the intended benefits,

data security practices must be “institutionalized” – i.e. integrated into the corporate

culture and made part of how a given organization works. This is achieved through the



development and implementation of effective “data security policy”. Policy is a governance

mechanism, used to translate tangible security objectives into organizational terms that can be

implemented and enforced. In the case of data security, related policies provide the “how, what, and

why” to communicate security objectives and promote expected compliance.

To fulfill this mission, data security policy must be developed and documented to reflect the following

components and answer the underlying formative questions:

Policy Purpose

What are the specific goals of this data security policy?

Why has the policy been created (considering the background events leading to policy

development)?

What will the policy accomplish considering data security goals and objectives?

Policy Basis

What is the underlying authority and/or organizational basis for this data security policy

(considering internal guidelines and/or external regulatory requirements)?

Do you have sufficient executive support to sufficiently enforce compliance with all of the policy

provisions?

Policy Scope

What are the organizational targets of the policy considering company-wide applicability,

division specific application, departmental application or location specific application?

What are the data targets of the policy considering the types of files, records, information and

applications covered by the policy?

Policy Stakeholders

Who are the policy stakeholders considering both individuals and groups who have a vested

interest in the policy and ability to influence the outcome?

What are the specific roles and responsibilities required to implement, administer and enforce

all policy terms, including all stated compliance obligations?

Security Means and Methods

What are the means and methods to be utilized to realize all identified data security

requirements, including data encryption, data access restrictions, security monitoring, data

classifications, userid requirements, password requirements, data storage mechanisms, and

related matters?

Compliance and Enforcement Guidelines

What are established guidelines for data security compliance?

Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are

the terms under which exceptions and/or waivers will be granted?

How will compliance be enforced and what are the consequences for a failure to comply?

How will employees be provided with training relating to data security compliance?



What types of auditing procedures will be used to monitor and promote data security

compliance?

Take an Inclusive Approach to Policy Development

Every data security policy will benefit from an inclusive approach to development and implementation.

It takes a partnership between all of the interested and invested stakeholders to fully realize policy

relevance and enforcement. In the collaborative approach, the end-user partner defines the need

(the data to be protected and the business basis behind the security requirements). The IT partner

provides the technical means (and capability) by which the identified data security needs can be met.

These needs and means are then combined to form actionable policy through an “inclusive”

development process, characterized by input and collaboration at every stage:

Policy planning relies on input and information relating to data security needs and policy

objectives.

Policy preparation relies on the review of policy drafts, negotiation, and feedback relating to

specific terms and related obligations,

Policy implementation relies on the documented acceptance (and approval) of policy terms and

compliance obligations on the part of decision making stakeholders.

As policy development unfolds, checkpoints should be established to ensure that all decision making

stakeholders have been sufficiently engaged in the development process. Considering the long term

benefits of collaborative policy development (compliance is more readily secured when you have

advance buy-in), it’s always a good idea to create a “policy team” or committee as the organizational

vehicle for policy development. This policy team or committee should include members from all sides

– the end-user community, IT department, Legal department, Human Resources and any other

appropriate department with something to contribute. This will help to ensure that the policy delivered

represents all interests, incorporates all concerns, and has the greatest chance to succeed.

You may also like



Where is that laptop? Who has that printer? Do we have sufficient software licenses for every user?

These are the types of questions IT asset management is meant to answer. As an operational

practice, IT asset management serves multiple purposes, as reflected in the list below:

1. Asset management practices are used to minimize the risk that investments made in technology

(hardware, software and training) will be lost due to theft, destruction or other damage.

2. Asset management practices are used to ensure that technology assets are properly allocated to

end-users to optimize usage and workplace productivity.

3. Asset management practices are used to simplify technical support and maintenance

requirements.

4. Asset management practices are used to lower IT “cost of ownership” and maximize IT ROI.

5. Asset management practices are used to ensure that software licensing is in full compliance,

minimizing the risk of legal and regulatory problems.

6. Asset management practices are used to support “sister” policies for disaster recovery, email

usage, data security, and technology standards.

The Role of Asset Management Policy

Asset management practices define the actions to be taken to protect and preserve technology

assets – from physical locks on equipment to inventory tags. In conjunction, policy provides the “asset

management mindset“. This mindset acknowledges that”technology assets are important to us and

we take them seriously enough to put up with protective controls“. To realize all of the intended

benefits, this mindset must be integrated into daily operations and the corporate culture — and this

is achieved through adopted policy.

Once approved, asset management policies provide the governing authority to implement all aspects

of the asset management program. While policy terms and specifics will vary according to

organizational needs, the most effective policies are designed around (13) key components, as listed

below:

1. Asset Standards. To identify the specific hardware and software products (assets) to be used

and supported.

2. Configuration Standards. To identify how standardized hardware and software assets are to be



configured.

3. Variance Process. To establish the criteria and means by which product and configuration

standards can (and should) be waived.

4. Support of “Non- Standard” Assets. To establish the services that will IT provide for non-

standard products and configurations.

5. BOYD Guidelines. To establish the means for supporting “Bring Your Own” devices (tablets,

phones, notebooks, laptops).

6. Asset Procurement Guidelines. To identify the policies and procedures relating to the

acquisition, procurement and/or rental of technology assets.

7. Security Guidelines. To identify how physical and logical security will be provided for hardware

and software assets (locks, passwords, virus protection, etc.).

8. Software Licensing Guidelines. To keep track of asset licensing, ensuring compliance with all

relevant agreements, laws and regulations.

9. Technical Support and Maintenance Practices. To identify the processes to be followed for

asset related technical support, repair, service dispatch, preventative maintenance, and problem

escalation.

10. Configuration Management Guidelines. To identify related practices for asset configuration

management and change control to ensure consistent, updated configuration and timely updates

as may be required.

11. Asset Inventory Practices. To keep track of the location and assignment of all allocated

technology assets (hardware and software), including related record keeping.

12. Asset M.A.C. Practices. To govern requests and activities relating to physical moves, adds and

changes (M.A.C.) with regard to allocated hardware and software assets.

13. Asset Disposal Guidelines. To identify the processes to be followed when hardware and

software assets are no longer in use and disposal is appropriate (which can include a donation

program).

Your Top 10 Policy Planning Questions

As discussed, once they are documented, established (and approved), asset management policies

provide the means to “institutionalize” underlying objectives. Policy is a tool by which related practices

are implemented and executed, laying out the “what, how and why” of IT asset management. Not only

does policy provide the means for governance, it also provides the basis for related planning and

decision making. To realize all of these goals and benefits, policy planning must address the following

“top 10” planning questions:

1. What are your primary asset management goals?

2. What are the likely benefits to be realized from the standardized management of IT assets?

3. What are the negative aspects and/or risks associated with IT asset management?

4. Is executive management support required to plan and implement these practices?

5. If executive management support is required, are you likely to get it?

6. How would any chosen policies and procedures be implemented and executed?

7. Do you have the resources to plan, implement, and execute any chosen policies and procedures?



8. What are the likely costs associated with managing information technology assets?

9. What are the likely objections to adopted asset management practices and how can they be

addressed?

10. What are the consequences of inaction with regard to managing IT assets?

You may also like

Protecting business interests with policies for it asset management it-toolkits

Technology

Transcript of Protecting business interests with policies for it asset management it-toolkits