developing effective
TRANSCRIPT
![Page 1: Developing Effective](https://reader035.vdocuments.site/reader035/viewer/2022081810/577ce0831a28ab9e78b37d3f/html5/thumbnails/1.jpg)
7/29/2019 Developing Effective
http://slidepdf.com/reader/full/developing-effective 1/4
Developing Effective
Policy, Procedures and Standards
By Steve Schlarman
Pick up any book on strategic business process development and, within the first few chapters, you will find a discussion on theimportance of policy. Policies are the first line of defense against risk from an organizational perspective.
While technologies, processes, and ultimately, people are the soldiers on the front lines, policy is the strategic direction that guides theorganization toward objectives and goals.
The importance of policy is supported by a quick review of current regulatory issues facing companies. While regulations, whether
governmental or industry driven, are typically on the "grey" side when prescribing control requirements, the need for defined policywithin the organization is always included.
Some examples:
In HIPAA, section § 164.308(a)(1)(i) states 'Security Management Process: Implement policies to prevent, contain, andcorrect security violations.'
Section 12 of the Payment Card Industry - Data Security Standard (PCI-DSS) contains a considerable discussion onmaintaining a policy that addresses information security.
Gramm-Leach-Bliley (GLBA): 314.3 Security Management Process states (the company) 'shall develop, implement, andmaintain a comprehensive information security program that is written in one or more readily accessible parts and contains
administrative, technical, and physical safeguards'.
However, policy is not just a 'check the box' activity for regulatory compliance. Policy defines the organization's response and posturefor handling specific business processes.
Policy must be sanctioned by executive management and reflect the organizational view on acceptable business practices.
This includes the management of risks and execution of business processes. Policy must clearly define the structure, approach and philosophy to address a specific business aspect. In Information Technology, policy must cover all aspects of the IT organization -
from software acquisition and development to security to disaster recovery to operational management. Policy also must be
consistently communicated to the enterprise and applied to business process and strategy. Policy definition is not a one-time activity
but must be ingrained into the culture of the organization.
Designing Policy
Designing policy, procedures and standards is a process that many organizations have undertaken for many parts of the business. For Information Technology, the goal is to implement a policy infrastructure that allows IT to manage risk appropriately, yet meet
business needs.
First, policy must define the why, what, who, where and how of the IT process.
Why is the policy important? The first step is to understand why policy is being developed. Business requirements, external
compliance, industry compliance or third party requirements, e.g. Service Level Agreements (SLAs) are examples of common drivers for policy implementation.
What are the requirements? - Policy and standards must be actionable. Policy sets the general direction; standards define
specific actions and responsibilities. The two must work in concert to provide employees with the appropriate information toimpact their jobs.
![Page 2: Developing Effective](https://reader035.vdocuments.site/reader035/viewer/2022081810/577ce0831a28ab9e78b37d3f/html5/thumbnails/2.jpg)
7/29/2019 Developing Effective
http://slidepdf.com/reader/full/developing-effective 2/4
Who needs to know, execute and own the policy? Four hundred pages of policies and standards will not impact an employeeunless dropped on their foot. Policy, standards and procedures must be specified as applicable to certain audiences for clear
communication.
Where do the standards apply? - Policy has to be applied to multiple areas of the business. Identifying where certainrequirements apply, while a significant task, is a must for a cost effective, business impact approach.
How will the standards be applied to business? The policy should be implemented in language relevant to the executors.Procedures, via control content, must be developed to build consistency across the enterprise.
Secondly, policy must be matured over a period of time with a clear strategic course. Policy can quickly become an administrative burden or an ignored dogma without a true sense of the strategic value of policy. Within IT, policy is absolutely critical in setting
strategic objectives but even more important in building a culture focused on controlled, business oriented services. Disaster Recovery
(DR) is a clear example of how a well built policy adds strategic value. For a comprehensive approach to DR, many facets of the business must be aligned and policy will form the backbone of that alignment. Along with many other facets of the business, DR
requires:
Asset classification and inventory must be defined and implemented.
Business units must have an understanding of critical business applications and processes.
IT applications and infrastructure must be enabled with "DR" sensitive controls - backup and recovery, redundant systems,offsite storage/systems, etc.
Each of these functions needs to a manifestation of policy and standards (outlining requirements) and procedures (impacting business processes). The point is that the ability to respond and recover from a disaster - a highly strategic business objective - has its
fundamental success tied to a comprehensive policy infrastructure.
Furthermore, compliance activities and policy development must be appropriately aligned. Policy without a corresponding compliancemeasurement and monitoring strategy will be looked at as unrealistic, ignored dogma. Compliance activities without a supporting
policy infrastructure will result in high failure rates given that requirements have not been properly defined and communicated. In theend, policy definitions should drive specific compliance activities; both sides of the equation should move forward at the same rate.
Finally, the approach to policy must be holistic. Policy does not impact the organization if it is only words on the page. Therefore,management must support an active intention to insert policy into the IT culture. Policy should cover people, process and technology.
Roles and responsibilities must be clearly defined; processes must be appropriately addressed and standards should be driven down to
technology layer controls. A plan must be defined for the integration into processes across IT. This integration will be fueled by
focused education and awareness campaigns.
Organizational Maturity
The process of implementing policy contains many stages of 'maturity'.
Define basic policy and awareness infrastructure.
The first iteration of policies and standards should communicate management's philosophy regarding the value of corporateinformation, the requirements to comply with policies and the consequences of noncompliance. Basing these policies on well known
frameworks is a generally accepted good "first step". Policies and standards should be developed with a firm grasp of overall business
objectives and an understanding of applicable laws and regulations.
Implement manual or limited compliance testing.
As a corresponding compliance activity, a process for testing the effectiveness of controls needs to be established and performed on a periodic basis (e.g., quarterly) and the results need to be documented and communicated to management. This stage will provide the
![Page 3: Developing Effective](https://reader035.vdocuments.site/reader035/viewer/2022081810/577ce0831a28ab9e78b37d3f/html5/thumbnails/3.jpg)
7/29/2019 Developing Effective
http://slidepdf.com/reader/full/developing-effective 3/4
feedback necessary to improve the policy infrastructure based upon compliance levels and the ability to adopt practices and integrate
controls into processes.
Expand policy into a true knowledge base.
Obviously, high level policy with some supporting standards is not the long term objective. Additionally, maintaining manualcompliance testing with hard copy or otherwise manual testing results is an arduous and ineffective method. Transforming policy into
a "knowledge base" drives deeper into technical control documentation and standards and forms the basis for long term growth into
automated compliance testing and reporting.
Implement broader awareness, training & testing.
Employees are the keys to an effective policy and compliance program and they must understand their role in the program. With the
establishment of a broader, deeper policy foundation, expectations and requirements must be streamlined to 'cut to the chase' for certain types of employees. In other words, awareness must transition to true training, including testing of knowledge and possible
employee certification.
Automate compliance testing & reporting.
Following along with the policy/compliance maturation process, the next enhancement of compliance management capabilities is toleverage compliance testing technologies to automate manual processes on each significant technology platform. This requires
mapping the prescriptive requirements of the organization - identified earlier and articulated in the customized set of policies,
standards and procedures - to technology that facilitates automated compliance data collection, and then deploying the solution across
the enterprise.
The ultimate goal of setting policies is to influence behavior, set clear requirements and guide people through business decisions. A
comprehensive Policy Management process is the process of setting the policy in motion within the organization ensuring both proper
communication and compliance activities.
Executing the strategy
As the model above shows a basic maturity process for driving policy and compliance forward proportionally, laying the foundation o policy within the organization is a discrete set of basic steps.
Build the basic foundation.
The most common way to build a basic policy structure is to leverage common control frameworks such as ISO:17799, COBIT andITIL. Companies must actually combine several of these frameworks to address all aspects of IT. ISO:17799 provides coverage for
security; COBIT provides baselines for general IT controls; ITIL provides guidance for IT services. Therefore, the company really
needs to unify these frameworks through an internal policy framework based upon their own business requirements and practices.
Documentation to articulate specific controls should be developed to guide operational procedures. For instance, Windows and Unix
have various methods to implement common control objectives. The administrators implementing the control need to have solid
guidance for control requirements with some latitude for final implementation. The foundational goal is to build the basic set of
content - policy, standards and procedural level documentation - that is actionable, tied to roles and responsibilities and measurable.
Define communication strategy.
Communication is critical to success. Employee onboarding and annual performance reviews are examples of business processeswhere policy communication can be inserted. Messaging on the importance of policy must be consistent and applied to multiple
communication channels. Executive input and involvement is crucial for employees to know policy compliance is important toexecutive management.
Address sustainability and maintenance.
Ownership of content - policy, standards and procedural - must be established for ongoing maintenance. Maintenance should include
periodic reviews and updates with feedback being provided by associated compliance processes. External input can be very helpful insustaining the policy. IT should involve other operational groups - audit, legal, business units, etc. - to provide feedback on the IT
"Service" oriented practices as well as regulatory and industry compliance requirements. A collaborative environment should be
![Page 4: Developing Effective](https://reader035.vdocuments.site/reader035/viewer/2022081810/577ce0831a28ab9e78b37d3f/html5/thumbnails/4.jpg)
7/29/2019 Developing Effective
http://slidepdf.com/reader/full/developing-effective 4/4
instituted to leverage skill sets and knowledge across the enterprise. For large, multinational organizations, pockets of "gurus" can
greatly add to the overall quality of the process.
Connect peripheral processes, such as change management, SDLC, system implementation/build process and external/third partyinvolvement and establish policy related peripheral process.
Definition of policies specific to IT services and processes will be necessary and is probably part of the "knowledge base" maturitylevel. Caution must be taken to allow for enough "implementation space" for operational groups to apply the standards to their
environment. Policy related processes are also necessary for a long term policy strategy. Exception requests, compliance remediation,
compliance feedback and other activities are driven purely from a policy perspective. These processes have to be defined andmaintained in proportion to the policy and compliance maturity.
Align policy maturity and compliance activities.
There are two basic mantras for policy and compliance management - Policy and Compliance must progress proportionally together;Policy and Compliance must be holistic and include people, process and technology. These are important concepts to keep in mind
during the development process. Compliance activities should be automated and/or facilitated as much as possible. Some controls can
either be implemented or monitored in an automated fashion. These should be measured as efficiently as possible using appropriate
tools. Other controls will be purely manual and will require other assessment, measurement or monitoring processes. Facilitating the
measurement of these controls should also be automated as much as possible.
The ultimate goal in alignment of policy and compliance is to enable the organization to report on compliance state 1) in context of the
policy and 2) in a consolidated manner. Automation will be necessary to gather compliance data. Analytics and reporting engines will be required to transform compliance data into business intelligence. A consolidated approach will improve the feedback loop to better
reflect policy based upon business requirements as well as improve business risk management.
Conclusion
The myriad of compliance requirements every company faces is becoming more complicated. Additionally, business needs are drivingtowards increasingly complex technology environments and demanding a continued focus on distributed approaches to IT
administration. IT Governance depends on a clear definition of policy for the enterprise. An IT policy and its supporting standards
defines the controls and requirements necessary for proper security, management and practices within the organization's information
technology environment.
IT processes are a combination of people, policy and technologies. Combined effectively, these three elements provide a "defense indepth" at the organizational layer. Critical to this approach is the definition of policies, standards and technical controls aligned to the
company's business and compliance needs. Furthermore, the only way to measure the success of a company's implementation of
policy is through a disciplined compliance strategy which includes monitoring and enforcement. The combination of a comprehensive
IT policy and a structured compliance program is the only way to efficiently and effectively meet a company's need for a regimented
compliance infrastructure.
About the Author
Steve Schlarman is Chief Compliance Strategist at Brabeion Software. Mr. Schlarman has deep compliance, security and audit
expertise. Prior to joining Brabeion, he was a Director in PricewaterhouseCoopers' Advisory Practice focusing exclusively on
information security and compliance consulting and auditing. He is a member of ISACA and ISSA and holds both the CISSP and
CISM certifications. He may be reached via email at [email protected].
http://www.disaster-resource.com/articles/07p_106.shtml