The Value of Well-Documented Policies

Introduction to IT Policy

Business operations policy is essentially a formal communication method. It is specific to individual corporations and applies only to employees and partners of that firm. Policies communicate management’s expectations and method of governing to employees and partners. It establishes clear guidelines for acceptable and unacceptable behavior and often explains how behavior will be monitored or evaluated. Finally, properly written and implemented policy establishes penalties for violating established rules. Business policy does not replace governmental jurisdiction but instead works in concert with the legal system. A policy may impose sanctions such as loss of privileges, compensation, or even employment. In contrast, it relies on national, state, and provincial governments to apply more serious penalties for illegal behavior, such as prosecution, civil penalties, or even jail sentences. Policy is frequently one of the first things new employees and partners are introduced to when entering or working with a company.

Policy is often divided into three categories:

• Policy – Policy is usually higher-level or generally applicable and addresses the question of “What should happen?” or “What behavior is acceptable/unacceptable?”
• Procedure – If the Policy is general, the Procedure is tactically oriented and is a direct extension of the Policy. It answers the question of “How should things happen?” For example, if a policy states the organization must have information system backups, the procedure may require backups to be kept in tape form, or perhaps in an off-site data repository.
• Standard – Standard documents answer the question, “How much compliance with Policy and Procedure is enough compliance?” Standards are used when technical or complex issues are considered and provide guidance on judging the adequacy of a solution. One of the easiest examples to offer is computer encryption. Most policies and procedures dealing with information system protection will require “strong cryptography”. Since the technology world changes rapidly, a standard is kept that explains which types of cryptography are acceptable and in which formats. Standards are normally used by employees specializing in the area the Standard addresses.

Reasons for Having Policy

IT Policy is established to encourage employees and partners to understand management’s desires and contribute to organizational success in ways the management finds productive. Below are just some of the reasons for having well-documented policies.

• Establishing Responsibilities One of the more important roles of written policies is to establish who is allowed to make decisions affecting the organization, especially major decisions. This is often referred to as a responsibility matrix. A responsibility matrix identifies not only decision-makers but in larger organizations also identifies who is ultimately responsible for decisions being made by those lower in the management structure, and identifies people who may be affected by decisions and, therefore those who may need a voice in decision making. The fact that one individual or committee is assigned accountability over an identified business scope makes it possible for business decisions to be made quickly and speeds business adaption to changing conditions.
• Defining Successful Cooperation One might say: “If you never ask for what you want, you’ll never receive it.” Along these same lines, a policy is a business organization’s way of establishing clear guidelines for basic employee and partner behavior. Not all the answers to business problems are found in policy (such as strategy and product details), but IT policy establishes the framework for normal business operations (employee relations, procurement practices, information security requirements, etc.)
• Protecting Resources Policy normally identifies which resources the organization values and how employees and partners are expected to safeguard those resources. This includes organizational assets such as computers but also extends to protecting human resources by making rules such as non-harassment and anti-discrimination rules. Data protection is one of the more important topics typically addressed. Whether the business wants to protect trade secrets or simply ensure the privacy of people they hold information for, data protection can be an important part of protecting its business interests.
• Emergency Response Not only does policy define “normal” business operations, but it is also an important communication venue for organizing responses to non-normal business operations. Establishing expectations and an avenue for continuing to support business objectives in emergencies can be an important part of business planning. For example, online services may suffer significant financial damage if they are not available for extended periods of time.
• Legal Protection Businesses in regulated industries already know that they need clearly documented policies to pass audits. However, even companies in “regular” business environments benefit greatly from having clear policies and consistently following them. Showing a company has and follows relevant organizational policy may benefit many employment disputes or civil court cases.

How to Develop Good Policy

Policy is most effective when it is kept current and available for review. Several important aspects of a policy include the following:

• Clear and Concise – Policy should be written clearly and understandably for all users. It is best written in outline form with outline numbering so specific requirements can be easily referenced.
• Consistent Format – All policies should have a similar format to make reading and finding requirements easy. Scope and applicability should outline to whom the policy applies. Policy owners should be identified so questions may be easily and quickly resolved.
• Central Location – All policies should be available in a central location and should be available to all employees.
• Revisioning – Policy must have revisioning and applicability dates. Announcements should be made when new versions are released to ensure all employees are familiar with the current policy.

Information Security Policy

Policy protecting information resources is becoming required for almost every business in today’s marketplace. For most, information systems use has long since transitioned from a luxury to a necessity for successful business operations. Businesses connected to the Internet must recognize they have moved away from a world they mainly control into a world where many world players can and often do impact the ability to conduct business. Information system uses and protection policies based on recognized industry frameworks and best-practice standards help you to remain in control of your business and avoid unwelcome surprises.

Summary

All businesses, especially those with over 30 employees, should consider the value a well-considered policy will bring to your business. If you’re new to the policy world, consider starting with free online examples or, better yet, an expert who can save you months of effort with framework-compliant policy templates customized to your individual needs. For additional information, click here to contact us.