Process 2: Create Policies

  • Article

 

Figure 4. Create policies

Activities: Create Policies

In this process, the group responsible for policy creation actually drafts the policies, often through the use of a standardized policy template. Specific types of policies are used to address different topic areas. Security policies and privacy policies may result in detailed implementations and configurations of IT infrastructure. This may be expressed through a Group Policy Object (GPO). When taken all together, GPOs establish allowable activities related to devices, users, or user role in an organization. Because of this tight relationship between security and privacy policy and group policy this is an area where IT has developed considerable expertise and collateral knowledge (for example, see Microsoft Identity and Access Management Series. Policy areas such as partner relationships, appropriate use, or knowledge management are often enforced through contracts and documents that are not directly machine-consumable. In these areas IT needs to assess the role of technology for gathering evidence of activity or prohibiting activity that would be in violation of policy. IT should have an awareness of the goals of these broader policies, and then assist the business in understanding the technology implications for enforcement and evaluation.  The following table lists the activities involved in this process.

These activities include:

  • Creating policy governance policies.
  • Creating security policies.
  • Creating privacy policies.
  • Creating partner relationship policies.
  • Creating knowledge management policies.
  • Creating appropriate use policies.

Table 5. Activities and Considerations for Creating Policies

Activities

Considerations

Create policy governance policies

Key questions:

  • Who is ultimately responsible for the policies?
  • What is the policy review and maintenance requirement?
  • What is the mediation process in the event of a stalemate on policy?

Inputs:

  • CEO strategy
  • Operational strategy and vision

Outputs:

  • Policy governance documents

Best practices:

  • Create a central repository for all policies so that people know how to find them, who can answer questions about them, and how the policy change process works.
  • Policies should have a consistent structure that reflects intent, general considerations, and any triggering events or special contexts, as well as clearly defined rules, guidelines, and expectations.
  • Consider the evaluation of the policy during its creation, and give consideration to ways of measuring its effectiveness and usefulness.

Create security policies

Key questions:

  • What are the threats and vulnerabilities of the business?
  • What outside security requirements are applicable to the business?
  • Who is responsibility for security?

Inputs:

  • Laws and regulations
  • Operational plan
  • Industry best practices

Outputs:

  • Operational security policies

Best practices:

  • For framework and template assistance, consult industry standards such as ISO 17799 or 27001.
  • For further information about security policies, consult the Regulatory Compliance Planning Guide, a Microsoft Solution Accelerator.

Create privacy policies

Key questions:

  • What privacy requirements are applicable to the business?
  • What is business vision with respect to privacy?

Inputs:

  • Laws and regulations
  • Best practices
  • Privacy vision statement(s)

Outputs:

  • Operational privacy policies

Best practices:

  • For framework and template assistance, consult industry standards such as ISO 17799 or 27001.

Create partner relationship policies

Key questions:

  • What are the key business partnerships?
  • What are the operational requirements for key partners?
  • Are there contingency plans for partners?

Inputs:

  • Partnership list
  • Business continuity plan(s)
  • Operational vision statement
  • Laws and regulations

Outputs:

  • Operational partner policies
  • Business continuity plan(s)

Best practices:

  • Perform initial and periodic reviews to ensure that partners are complying with organizational policies.
  • Ensure that contracts are written to ensure partners’ compliance with the intent of your company’s policies. (Avoid telling them exactly what to do to comply; those decisions belong to the management of their organization.) Contracts should also specify your organization’s right to audit your partners for compliance to your agreements. For more information on underlying contracts see Business/ IT Alignment SMF.

Create knowledge management policies

Key questions:

  • What are the organization’s document and e-mail requirements?
  • Is the business subject to eDiscovery (policies and practices for data storage, archiving, and recovery)?
  •  What specific laws and regulations apply to your organization in terms of proper use and management of data, both in transit and at rest? What laws and regulations apply to your organization in terms of business continuance and disaster recovery (BC/DR)?
  • Do your BC/DR plans address data lifecycle management issues such as data retention, encryption, and data restoration upon return to normal operations?
  • What are the document and record retention and availability requirements?

Inputs:

  • Laws and regulations
  • Legal posture
  • Document management systems

Outputs:

  • Operational knowledge management policy

Best practices:

  • Ensure that your organization, along with its legal department, drives data retention requirements. The business should determine the minimum or maximum length of time data must be retained, as well as where the data must be stored (some countries have requirements about data storage locations).
  • When data retention requirements have been determined, IT should evaluate the data management lifecycle and write policies to reflect decisions about the multiple ways data might be stored and used (such as backup tapes and disks, remote storage, and physical copies on paper).

Create appropriate use policies

Key questions:

  • Which laws and regulations is the business subject to?
  • Are non-employees allowed access to systems and data?
  • Are partners allowed access?

Inputs:

  • Laws and regulations
  • Corporate vision
  • Legal advice

Outputs:

  • Operational appropriate use policy

Best practices:

  • Ensure that your organization drives the creation of appropriate use policies by evaluating your organization’s standards of conduct and reflecting these standards in IT policy when appropriate.
  • During policy creation, think in broad terms about allowable use of IT resources as it relates to possible reputational, security, privacy, and financial risk.
  • Include your organization’s standards of conduct when evaluating policies to see that the intent of these standards is clearly reflected.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
Download

Get the Microsoft Operations Framework 4.0
Solution Accelerators Notifications

Sign up to learn about updates and new releases
Feedback

Send us your comments or suggestions