[an error occurred while processing this directive]

Developing Effective
Policy, Procedures and Standards

By Steve Schlarman

Pick up any book on strategic business process development and, within the first few chapters, you will find a discussion on the importance of policy. Policies are the first line of defense against risk from an organizational perspective.

While technologies, processes, and ultimately, people are the soldiers on the front lines, policy is the strategic direction that guides the organization toward objectives and goals.

The importance of policy is supported by a quick review of current regulatory issues facing companies. While regulations, whether governmental or industry driven, are typically on the "grey" side when prescribing control requirements, the need for defined policy within the organization is always included.

Some examples:

  • In HIPAA, section § 164.308(a)(1)(i) states 'Security Management Process: Implement policies to prevent, contain, and correct security violations.'

  • Section 12 of the Payment Card Industry - Data Security Standard (PCI-DSS) contains a considerable discussion on maintaining a policy that addresses information security.

  • Gramm-Leach-Bliley (GLBA): 314.3 Security Management Process states (the company) 'shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards'.

However, policy is not just a 'check the box' activity for regulatory compliance. Policy defines the organization's response and posture for handling specific business processes.

Policy must be sanctioned by executive management and reflect the organizational view on acceptable business practices.
This includes the management of risks and execution of business processes. Policy must clearly define the structure, approach and philosophy to address a specific business aspect. In Information Technology, policy must cover all aspects of the IT organization - from software acquisition and development to security to disaster recovery to operational management. Policy also must be consistently communicated to the enterprise and applied to business process and strategy. Policy definition is not a one-time activity but must be ingrained into the culture of the organization.

Designing Policy

Designing policy, procedures and standards is a process that many organizations have undertaken for many parts of the business. For Information Technology, the goal is to implement a policy infrastructure that allows IT to manage risk appropriately, yet meet business needs.

First, policy must define the why, what, who, where and how of the IT process.

  • Why is the policy important? The first step is to understand why policy is being developed. Business requirements, external compliance, industry compliance or third party requirements, e.g. Service Level Agreements (SLAs) are examples of common drivers for policy implementation.

  • What are the requirements? - Policy and standards must be actionable. Policy sets the general direction; standards define specific actions and responsibilities. The two must work in concert to provide employees with the appropriate information to impact their jobs.

  • Who needs to know, execute and own the policy? Four hundred pages of policies and standards will not impact an employee unless dropped on their foot. Policy, standards and procedures must be specified as applicable to certain audiences for clear communication.

  • Where do the standards apply? - Policy has to be applied to multiple areas of the business. Identifying where certain requirements apply, while a significant task, is a must for a cost effective, business impact approach.

  • How will the standards be applied to business? The policy should be implemented in language relevant to the executors. Procedures, via control content, must be developed to build consistency across the enterprise.

Secondly, policy must be matured over a period of time with a clear strategic course. Policy can quickly become an administrative burden or an ignored dogma without a true sense of the strategic value of policy. Within IT, policy is absolutely critical in setting strategic objectives but even more important in building a culture focused on controlled, business oriented services. Disaster Recovery (DR) is a clear example of how a well built policy adds strategic value. For a comprehensive approach to DR, many facets of the business must be aligned and policy will form the backbone of that alignment. Along with many other facets of the business, DR requires:

  • Asset classification and inventory must be defined and implemented.

  • Business units must have an understanding of critical business applications and processes.

  • IT applications and infrastructure must be enabled with "DR" sensitive controls - backup and recovery, redundant systems, offsite storage/systems, etc.

Each of these functions needs to a manifestation of policy and standards (outlining requirements) and procedures (impacting business processes). The point is that the ability to respond and recover from a disaster - a highly strategic business objective - has its fundamental success tied to a comprehensive policy infrastructure.

Furthermore, compliance activities and policy development must be appropriately aligned. Policy without a corresponding compliance measurement and monitoring strategy will be looked at as unrealistic, ignored dogma. Compliance activities without a supporting policy infrastructure will result in high failure rates given that requirements have not been properly defined and communicated. In the end, policy definitions should drive specific compliance activities; both sides of the equation should move forward at the same rate.

Finally, the approach to policy must be holistic. Policy does not impact the organization if it is only words on the page. Therefore, management must support an active intention to insert policy into the IT culture. Policy should cover people, process and technology. Roles and responsibilities must be clearly defined; processes must be appropriately addressed and standards should be driven down to technology layer controls. A plan must be defined for the integration into processes across IT. This integration will be fueled by focused education and awareness campaigns.

Organizational Maturity

The process of implementing policy contains many stages of 'maturity'.

Define basic policy and awareness infrastructure.

The first iteration of policies and standards should communicate management's philosophy regarding the value of corporate information, the requirements to comply with policies and the consequences of noncompliance. Basing these policies on well known frameworks is a generally accepted good "first step". Policies and standards should be developed with a firm grasp of overall business objectives and an understanding of applicable laws and regulations.

Implement manual or limited compliance testing.

As a corresponding compliance activity, a process for testing the effectiveness of controls needs to be established and performed on a periodic basis (e.g., quarterly) and the results need to be documented and communicated to management. This stage will provide the feedback necessary to improve the policy infrastructure based upon compliance levels and the ability to adopt practices and integrate controls into processes.

Expand policy into a true knowledge base.

Obviously, high level policy with some supporting standards is not the long term objective. Additionally, maintaining manual compliance testing with hard copy or otherwise manual testing results is an arduous and ineffective method. Transforming policy into a "knowledge base" drives deeper into technical control documentation and standards and forms the basis for long term growth into automated compliance testing and reporting.

Implement broader awareness, training & testing.

Employees are the keys to an effective policy and compliance program and they must understand their role in the program. With the establishment of a broader, deeper policy foundation, expectations and requirements must be streamlined to 'cut to the chase' for certain types of employees. In other words, awareness must transition to true training, including testing of knowledge and possible employee certification.

Automate compliance testing & reporting.

Following along with the policy/compliance maturation process, the next enhancement of compliance management capabilities is to leverage compliance testing technologies to automate manual processes on each significant technology platform. This requires mapping the prescriptive requirements of the organization - identified earlier and articulated in the customized set of policies, standards and procedures - to technology that facilitates automated compliance data collection, and then deploying the solution across the enterprise.

The ultimate goal of setting policies is to influence behavior, set clear requirements and guide people through business decisions. A comprehensive Policy Management process is the process of setting the policy in motion within the organization ensuring both proper communication and compliance activities.

Executing the strategy

As the model above shows a basic maturity process for driving policy and compliance forward proportionally, laying the foundation of policy within the organization is a discrete set of basic steps.

Build the basic foundation.

The most common way to build a basic policy structure is to leverage common control frameworks such as ISO:17799, COBIT and ITIL. Companies must actually combine several of these frameworks to address all aspects of IT. ISO:17799 provides coverage for security; COBIT provides baselines for general IT controls; ITIL provides guidance for IT services. Therefore, the company really needs to unify these frameworks through an internal policy framework based upon their own business requirements and practices. Documentation to articulate specific controls should be developed to guide operational procedures. For instance, Windows and Unix have various methods to implement common control objectives. The administrators implementing the control need to have solid guidance for control requirements with some latitude for final implementation. The foundational goal is to build the basic set of content - policy, standards and procedural level documentation - that is actionable, tied to roles and responsibilities and measurable.

Define communication strategy.

Communication is critical to success. Employee onboarding and annual performance reviews are examples of business processes where policy communication can be inserted. Messaging on the importance of policy must be consistent and applied to multiple communication channels. Executive input and involvement is crucial for employees to know policy compliance is important to executive management.

Address sustainability and maintenance.

Ownership of content - policy, standards and procedural - must be established for ongoing maintenance. Maintenance should include periodic reviews and updates with feedback being provided by associated compliance processes. External input can be very helpful in sustaining the policy. IT should involve other operational groups - audit, legal, business units, etc. - to provide feedback on the IT "Service" oriented practices as well as regulatory and industry compliance requirements. A collaborative environment should be instituted to leverage skill sets and knowledge across the enterprise. For large, multinational organizations, pockets of "gurus" can greatly add to the overall quality of the process.

Connect peripheral processes, such as change management, SDLC, system implementation/build process and external/third party involvement and establish policy related peripheral process.

Definition of policies specific to IT services and processes will be necessary and is probably part of the "knowledge base" maturity level. Caution must be taken to allow for enough "implementation space" for operational groups to apply the standards to their environment. Policy related processes are also necessary for a long term policy strategy. Exception requests, compliance remediation, compliance feedback and other activities are driven purely from a policy perspective. These processes have to be defined and maintained in proportion to the policy and compliance maturity.

Align policy maturity and compliance activities.

There are two basic mantras for policy and compliance management - Policy and Compliance must progress proportionally together; Policy and Compliance must be holistic and include people, process and technology. These are important concepts to keep in mind during the development process. Compliance activities should be automated and/or facilitated as much as possible. Some controls can either be implemented or monitored in an automated fashion. These should be measured as efficiently as possible using appropriate tools. Other controls will be purely manual and will require other assessment, measurement or monitoring processes. Facilitating the measurement of these controls should also be automated as much as possible.

The ultimate goal in alignment of policy and compliance is to enable the organization to report on compliance state 1) in context of the policy and 2) in a consolidated manner. Automation will be necessary to gather compliance data. Analytics and reporting engines will be required to transform compliance data into business intelligence. A consolidated approach will improve the feedback loop to better reflect policy based upon business requirements as well as improve business risk management.


The myriad of compliance requirements every company faces is becoming more complicated. Additionally, business needs are driving towards increasingly complex technology environments and demanding a continued focus on distributed approaches to IT administration. IT Governance depends on a clear definition of policy for the enterprise. An IT policy and its supporting standards defines the controls and requirements necessary for proper security, management and practices within the organization's information technology environment.

IT processes are a combination of people, policy and technologies. Combined effectively, these three elements provide a "defense in depth" at the organizational layer. Critical to this approach is the definition of policies, standards and technical controls aligned to the company's business and compliance needs. Furthermore, the only way to measure the success of a company's implementation of policy is through a disciplined compliance strategy which includes monitoring and enforcement. The combination of a comprehensive IT policy and a structured compliance program is the only way to efficiently and effectively meet a company's need for a regimented compliance infrastructure.

About the Author
Steve Schlarman is Chief Compliance Strategist at Brabeion Software. Mr. Schlarman has deep compliance, security and audit expertise. Prior to joining Brabeion, he was a Director in PricewaterhouseCoopers' Advisory Practice focusing exclusively on information security and compliance consulting and auditing. He is a member of ISACA and ISSA and holds both the CISSP and CISM certifications. He may be reached via email at Steve.Schlarman@Brabeion.com.

[an error occurred while processing this directive]