Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Process 5: Enforce and Evaluate Policy

Published: April 25, 2008

 

Figure 6. Enforce and evaluate policy

In this process, policies are enforced, and then evaluated for their effectiveness. Without an evaluation exercise, organizations may find that certain policies are actually impeding people’s ability to get work done; often an increase in the number and severity of violations is an indicator that policies need to be adjusted.

The following table lists the activities involved in this process. These activities include:

  • Enforcing the policy.
  • Requesting corrective action.
  • Analyzing policy enforcement.
  • Evaluating policy effectiveness.
  • Requesting policy change.

Table 8. Activities and Considerations for Enforcing and Evaluating Policies

Activities

Considerations

Enforce policy

Key questions:

  • What controls are in place to enforce policy?
  • Who are the appropriate persons to inform of enforcement?
  • What sort of records need to be kept?

Inputs:

  • Enforcement request

Outputs:

  • Enforcement action

Best practices

  • Be sensitive to your organization’s culture when enforcing policy. Does your business follow a defined chain of command, or do individuals have a certain amount of autonomy? How you communicate will have a direct effect on how successfully policies will be followed.
  • Decide whether exceptions are to be allowed. If they are, determine the criteria for exceptions and the process for exception handling.

Request corrective action

Key questions:

  • Has corrective action been previously applied?
  • What corrective action is needed now?

Inputs:

  • Parties identified as responsible for taking corrective action
  • Operational policies
  • List of policy violations
  • List of changes requested
  • List of possible policy changes

Outputs:

  • Corrective action request

Best practices

  • When faced with a policy breach, make sure you are aware of your organization’s range of available corrective actions (including training, discussion with management, letter of reprimand, loss of salary, or loss of employment).
  • As you develop a channel for corrective action requests, ensure that requesters have the option to communicate anonymously.

Analyze policy enforcement

Key questions:

  • How many policy enforcement actions have been required?
  • What was the root cause of these policy enforcement actions?
  • Do the policies make it easy for users to do the right thing and difficult for them to do the wrong thing?

Inputs:

  • Operational policies
  • List of policy violations
  • List of changes requested
  • List of possible policy changes

Outputs:

  • Policy change proposal

Best practices:

  • Excessive enforcement actions are a sign of problems with a policy’s content or intent. If enforcement is occurring frequently, investigate the policy’s requirements—they may be inhibiting an organization from getting necessary work done.

Evaluate policy effectiveness

Key questions:

  • How effective are the policies?
  • How many violations occur?
  • How many of the violations are justifiable?
  • Is the cost of enforcement within the expected, planned-for range?

Inputs:

  • Operational policies
  • IT principals

Outputs:

  • List of policy violations
  • List of changes requested
  • List of possible policy changes

Best practices:

  • Look for patterns and root causes during evaluation. For more information on root cause analysis, see the Problem Management SMF.
  • Consider how policies will be evaluated during their creation; determining what “effectiveness” means as you start out will save time in the evaluation process.
  • As you evaluate policies, think about whether their creation and enforcement have resulted in unintended consequences and whether the intended consequences were realized.

Request policy change

Key questions:

  • Do all stakeholders agree that this change is warranted?
  • Why make this change? What do we expect it to improve, and how?
  • What other policies, business process, or workflows are affected by this change?

Inputs:

  • Policy change proposal

Outputs:

  • Changed policy

Best practices:

  • Consider whether the situation warrants a policy change or a one-time-only exception.
  • Because policy changes have a broad, sweeping impact, don’t make a policy change without going back through the change control process and involving the necessary people. For more about the change control process, see the Change and Configuration SMF.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Microsoft Operations Framework 4.0

Solution Accelerators Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.