Access this Video FREE by giving us your email address.
When you register you will also receive:
- A Free Trial Membership which provides additional free research and help on your projects
- Access to survey data, contribute to our research, community involvement and much more
The IT department often is tasked with developing a range of policies to help set behavior expectations with users and to protect the organization from risk. Without writing expertise and business support, this can be asking too much. To help address this challenge, learn the basics of writing IT policies that actually work.
This video will help you:
- Identify the differences between policies and procedures, so that you know which one you need.
- Form a checklist of key elements that appear in all good policies.
- Create policies that are comprehensive, clear and accurate.
Policies are essential governance tools that create transparency and set expectations with employees. Write them well in order to increase the chances of user compliance.
Already a member?
Please Login
4 Comments
Another important element of a well written policy is related to the ability to enforce the policy. One of the primary elements needed to enforce a policy is evidence that the policy is, or is not, being followed. Example: "Employees shall not leave company owned portable computer equipment unattended in automobiles, hotel rooms, etc..." This is not a policy, although it does contain directive wording, i.e. "shall not." Because it is impossible to enforce, this is a guideline. Unless the company is willing to employ private investigators to trail every employee and document the fact that the employee is complying with the policy, there is no evidence that the "policy" is, or is not, being followed and therefore is not enforceable. A good policy will have evidence to demonstrate compliance. The role of an auditor, internal or external, is to provide assurance that policies are implemented correctly and are being followed, i.e. auditors provide assurance. What auditor would be willing to assure the organization that a policy which produces no evidence of compliance is being complied with? Evidence is essential to enforcement and demonstration of compliance. If a "policy" cannot produce consistent evidence of compliance it is not a policy, it is not enforceable and, again, it is not a policy, it is a guideline.
It would have helped if you would go beyond the usual cookie cutter approach of do and don't: use concrete examples. Develop an effective policy, explain during writing the policy why you do not include certain specific points (they will be entered into procedures for this policy), criticize a couple of policies. This is a general problem I have with the majority of your (meaning Info-Tech) offerings - you stay in the realm of the general, and therefore frequently are so vague that it is unusable.
Thanks for your comment. The video is best viewed collectively with the Policy Management Lifecycle solution set.
http://www.infotech.com/research/ss/control-the-policy-management-lifecycle?nav_id=2639
Thanks - very well presented.