7/29/2019 Developing Effective

http://slidepdf.com/reader/full/developing-effective 1/4

Developing Effective

 Policy, Procedures and Standards 

By Steve Schlarman

Pick up any book on strategic business process development and, within the first few chapters, you will find a discussion on theimportance of policy. Policies are the first line of defense against risk from an organizational perspective.

While technologies, processes, and ultimately, people are the soldiers on the front lines, policy is the strategic direction that guides theorganization toward objectives and goals.

The importance of policy is supported by a quick review of current regulatory issues facing companies. While regulations, whether 

governmental or industry driven, are typically on the "grey" side when prescribing control requirements, the need for defined policywithin the organization is always included.

Some examples:

  In HIPAA, section § 164.308(a)(1)(i) states 'Security Management Process: Implement policies to prevent, contain, andcorrect security violations.'

  Section 12 of the Payment Card Industry - Data Security Standard (PCI-DSS) contains a considerable discussion onmaintaining a policy that addresses information security.

  Gramm-Leach-Bliley (GLBA): 314.3 Security Management Process states (the company) 'shall develop, implement, andmaintain a comprehensive information security program that is written in one or more readily accessible parts and contains

administrative, technical, and physical safeguards'.

However, policy is not just a 'check the box' activity for regulatory compliance. Policy defines the organization's response and posturefor handling specific business processes.

Policy must be sanctioned by executive management and reflect the organizational view on acceptable business practices.

This includes the management of risks and execution of business processes. Policy must clearly define the structure, approach and philosophy to address a specific business aspect. In Information Technology, policy must cover all aspects of the IT organization -

from software acquisition and development to security to disaster recovery to operational management. Policy also must be

consistently communicated to the enterprise and applied to business process and strategy. Policy definition is not a one-time activity

 but must be ingrained into the culture of the organization.

Designing Policy

Designing policy, procedures and standards is a process that many organizations have undertaken for many parts of the business. For Information Technology, the goal is to implement a policy infrastructure that allows IT to manage risk appropriately, yet meet

 business needs.

First, policy must define the why, what, who, where and how of the IT process.

  Why is the policy important? The first step is to understand why policy is being developed. Business requirements, external

compliance, industry compliance or third party requirements, e.g. Service Level Agreements (SLAs) are examples of common drivers for policy implementation.

  What are the requirements? - Policy and standards must be actionable. Policy sets the general direction; standards define

specific actions and responsibilities. The two must work in concert to provide employees with the appropriate information toimpact their jobs.

7/29/2019 Developing Effective

http://slidepdf.com/reader/full/developing-effective 2/4

  Who needs to know, execute and own the policy? Four hundred pages of policies and standards will not impact an employeeunless dropped on their foot. Policy, standards and procedures must be specified as applicable to certain audiences for clear 

communication.

  Where do the standards apply? - Policy has to be applied to multiple areas of the business. Identifying where certainrequirements apply, while a significant task, is a must for a cost effective, business impact approach.

  How will the standards be applied to business? The policy should be implemented in language relevant to the executors.Procedures, via control content, must be developed to build consistency across the enterprise.

Secondly, policy must be matured over a period of time with a clear strategic course. Policy can quickly become an administrative burden or an ignored dogma without a true sense of the strategic value of policy. Within IT, policy is absolutely critical in setting

strategic objectives but even more important in building a culture focused on controlled, business oriented services. Disaster Recovery

(DR) is a clear example of how a well built policy adds strategic value. For a comprehensive approach to DR, many facets of the business must be aligned and policy will form the backbone of that alignment. Along with many other facets of the business, DR 

requires:

  Asset classification and inventory must be defined and implemented.

  Business units must have an understanding of critical business applications and processes.

  IT applications and infrastructure must be enabled with "DR" sensitive controls - backup and recovery, redundant systems,offsite storage/systems, etc.

Each of these functions needs to a manifestation of policy and standards (outlining requirements) and procedures (impacting business processes). The point is that the ability to respond and recover from a disaster - a highly strategic business objective - has its

fundamental success tied to a comprehensive policy infrastructure.

Furthermore, compliance activities and policy development must be appropriately aligned. Policy without a corresponding compliancemeasurement and monitoring strategy will be looked at as unrealistic, ignored dogma. Compliance activities without a supporting

 policy infrastructure will result in high failure rates given that requirements have not been properly defined and communicated. In theend, policy definitions should drive specific compliance activities; both sides of the equation should move forward at the same rate.

Finally, the approach to policy must be holistic. Policy does not impact the organization if it is only words on the page. Therefore,management must support an active intention to insert policy into the IT culture. Policy should cover people, process and technology.

Roles and responsibilities must be clearly defined; processes must be appropriately addressed and standards should be driven down to

technology layer controls. A plan must be defined for the integration into processes across IT. This integration will be fueled by

focused education and awareness campaigns.

Organizational Maturity

The process of implementing policy contains many stages of 'maturity'.

Define basic policy and awareness infrastructure.

The first iteration of policies and standards should communicate management's philosophy regarding the value of corporateinformation, the requirements to comply with policies and the consequences of noncompliance. Basing these policies on well known

frameworks is a generally accepted good "first step". Policies and standards should be developed with a firm grasp of overall business

objectives and an understanding of applicable laws and regulations.

Implement manual or limited compliance testing.

As a corresponding compliance activity, a process for testing the effectiveness of controls needs to be established and performed on a periodic basis (e.g., quarterly) and the results need to be documented and communicated to management. This stage will provide the

7/29/2019 Developing Effective

http://slidepdf.com/reader/full/developing-effective 3/4

feedback necessary to improve the policy infrastructure based upon compliance levels and the ability to adopt practices and integrate

controls into processes.

Expand policy into a true knowledge base.

Obviously, high level policy with some supporting standards is not the long term objective. Additionally, maintaining manualcompliance testing with hard copy or otherwise manual testing results is an arduous and ineffective method. Transforming policy into

a "knowledge base" drives deeper into technical control documentation and standards and forms the basis for long term growth into

automated compliance testing and reporting.

Implement broader awareness, training & testing.

Employees are the keys to an effective policy and compliance program and they must understand their role in the program. With the

establishment of a broader, deeper policy foundation, expectations and requirements must be streamlined to 'cut to the chase' for certain types of employees. In other words, awareness must transition to true training, including testing of knowledge and possible

employee certification.

Automate compliance testing & reporting.

Following along with the policy/compliance maturation process, the next enhancement of compliance management capabilities is toleverage compliance testing technologies to automate manual processes on each significant technology platform. This requires

mapping the prescriptive requirements of the organization - identified earlier and articulated in the customized set of policies,

standards and procedures - to technology that facilitates automated compliance data collection, and then deploying the solution across

the enterprise.

The ultimate goal of setting policies is to influence behavior, set clear requirements and guide people through business decisions. A

comprehensive Policy Management process is the process of setting the policy in motion within the organization ensuring both proper 

communication and compliance activities.

Executing the strategy

As the model above shows a basic maturity process for driving policy and compliance forward proportionally, laying the foundation o policy within the organization is a discrete set of basic steps.

Build the basic foundation.

The most common way to build a basic policy structure is to leverage common control frameworks such as ISO:17799, COBIT andITIL. Companies must actually combine several of these frameworks to address all aspects of IT. ISO:17799 provides coverage for 

security; COBIT provides baselines for general IT controls; ITIL provides guidance for IT services. Therefore, the company really

needs to unify these frameworks through an internal policy framework based upon their own business requirements and practices.

Documentation to articulate specific controls should be developed to guide operational procedures. For instance, Windows and Unix

have various methods to implement common control objectives. The administrators implementing the control need to have solid

guidance for control requirements with some latitude for final implementation. The foundational goal is to build the basic set of 

content - policy, standards and procedural level documentation - that is actionable, tied to roles and responsibilities and measurable.

Define communication strategy.

Communication is critical to success. Employee onboarding and annual performance reviews are examples of business processeswhere policy communication can be inserted. Messaging on the importance of policy must be consistent and applied to multiple

communication channels. Executive input and involvement is crucial for employees to know policy compliance is important toexecutive management.

Address sustainability and maintenance.

Ownership of content - policy, standards and procedural - must be established for ongoing maintenance. Maintenance should include

 periodic reviews and updates with feedback being provided by associated compliance processes. External input can be very helpful insustaining the policy. IT should involve other operational groups - audit, legal, business units, etc. - to provide feedback on the IT

"Service" oriented practices as well as regulatory and industry compliance requirements. A collaborative environment should be

7/29/2019 Developing Effective

http://slidepdf.com/reader/full/developing-effective 4/4

instituted to leverage skill sets and knowledge across the enterprise. For large, multinational organizations, pockets of "gurus" can

greatly add to the overall quality of the process.

Connect peripheral processes, such as change management, SDLC, system implementation/build process and external/third partyinvolvement and establish policy related peripheral process.

Definition of policies specific to IT services and processes will be necessary and is probably part of the "knowledge base" maturitylevel. Caution must be taken to allow for enough "implementation space" for operational groups to apply the standards to their 

environment. Policy related processes are also necessary for a long term policy strategy. Exception requests, compliance remediation,

compliance feedback and other activities are driven purely from a policy perspective. These processes have to be defined andmaintained in proportion to the policy and compliance maturity.

Align policy maturity and compliance activities.

There are two basic mantras for policy and compliance management - Policy and Compliance must progress proportionally together;Policy and Compliance must be holistic and include people, process and technology. These are important concepts to keep in mind

during the development process. Compliance activities should be automated and/or facilitated as much as possible. Some controls can

either be implemented or monitored in an automated fashion. These should be measured as efficiently as possible using appropriate

tools. Other controls will be purely manual and will require other assessment, measurement or monitoring processes. Facilitating the

measurement of these controls should also be automated as much as possible.

The ultimate goal in alignment of policy and compliance is to enable the organization to report on compliance state 1) in context of the

 policy and 2) in a consolidated manner. Automation will be necessary to gather compliance data. Analytics and reporting engines will be required to transform compliance data into business intelligence. A consolidated approach will improve the feedback loop to better 

reflect policy based upon business requirements as well as improve business risk management.

Conclusion

The myriad of compliance requirements every company faces is becoming more complicated. Additionally, business needs are drivingtowards increasingly complex technology environments and demanding a continued focus on distributed approaches to IT

administration. IT Governance depends on a clear definition of policy for the enterprise. An IT policy and its supporting standards

defines the controls and requirements necessary for proper security, management and practices within the organization's information

technology environment.

IT processes are a combination of people, policy and technologies. Combined effectively, these three elements provide a "defense indepth" at the organizational layer. Critical to this approach is the definition of policies, standards and technical controls aligned to the

company's business and compliance needs. Furthermore, the only way to measure the success of a company's implementation of 

 policy is through a disciplined compliance strategy which includes monitoring and enforcement. The combination of a comprehensive

 IT policy and a structured compliance program is the only way to efficiently and effectively meet a company's need for a regimented 

compliance infrastructure. 

About the Author 

Steve Schlarman is Chief Compliance Strategist at Brabeion Software. Mr. Schlarman has deep compliance, security and audit 

expertise. Prior to joining Brabeion, he was a Director in PricewaterhouseCoopers' Advisory Practice focusing exclusively on

information security and compliance consulting and auditing. He is a member of ISACA and ISSA and holds both the CISSP and 

CISM certifications. He may be reached via email at  Steve.Schlarman@Brabeion.com. 

http://www.disaster-resource.com/articles/07p_106.shtml