Process 2: Create Policies
Figure 4. Create policies
Activities: Create Policies
In this process, the group responsible for policy creation actually drafts the policies, often through the use of a standardized policy template. Specific types of policies are used to address different topic areas. Security policies and privacy policies may result in detailed implementations and configurations of IT infrastructure. This may be expressed through a Group Policy Object (GPO). When taken all together, GPOs establish allowable activities related to devices, users, or user role in an organization. Because of this tight relationship between security and privacy policy and group policy this is an area where IT has developed considerable expertise and collateral knowledge (for example, see Microsoft Identity and Access Management Series. Policy areas such as partner relationships, appropriate use, or knowledge management are often enforced through contracts and documents that are not directly machine-consumable. In these areas IT needs to assess the role of technology for gathering evidence of activity or prohibiting activity that would be in violation of policy. IT should have an awareness of the goals of these broader policies, and then assist the business in understanding the technology implications for enforcement and evaluation. The following table lists the activities involved in this process.
These activities include:
- Creating policy governance policies.
- Creating security policies.
- Creating privacy policies.
- Creating partner relationship policies.
- Creating knowledge management policies.
- Creating appropriate use policies.
Table 5. Activities and Considerations for Creating Policies
Activities
Considerations
Create policy governance policies
Key questions:
- Who is ultimately responsible for the policies?
- What is the policy review and maintenance requirement?
- What is the mediation process in the event of a stalemate on policy?
Inputs:
- CEO strategy
- Operational strategy and vision
Outputs:
- Policy governance documents
Best practices:
- Create a central repository for all policies so that people know how to find them, who can answer questions about them, and how the policy change process works.
- Policies should have a consistent structure that reflects intent, general considerations, and any triggering events or special contexts, as well as clearly defined rules, guidelines, and expectations.
- Consider the evaluation of the policy during its creation, and give consideration to ways of measuring its effectiveness and usefulness.
Create security policies
Key questions:
- What are the threats and vulnerabilities of the business?
- What outside security requirements are applicable to the business?
- Who is responsibility for security?
Inputs:
- Laws and regulations
- Operational plan
- Industry best practices
Outputs:
- Operational security policies
Best practices:
- For framework and template assistance, consult industry standards such as ISO 17799 or 27001.
- For further information about security policies, consult the Regulatory Compliance Planning Guide, a Microsoft Solution Accelerator.
Create privacy policies
Key questions:
- What privacy requirements are applicable to the business?
- What is business vision with respect to privacy?
Inputs:
- Laws and regulations
- Best practices
- Privacy vision statement(s)
Outputs:
- Operational privacy policies
Best practices:
- For framework and template assistance, consult industry standards such as ISO 17799 or 27001.
Create partner relationship policies
Key questions:
- What are the key business partnerships?
- What are the operational requirements for key partners?
- Are there contingency plans for partners?
Inputs:
- Partnership list
- Business continuity plan(s)
- Operational vision statement
- Laws and regulations
Outputs:
- Operational partner policies
- Business continuity plan(s)
Best practices:
- Perform initial and periodic reviews to ensure that partners are complying with organizational policies.
- Ensure that contracts are written to ensure partners’ compliance with the intent of your company’s policies. (Avoid telling them exactly what to do to comply; those decisions belong to the management of their organization.) Contracts should also specify your organization’s right to audit your partners for compliance to your agreements. For more information on underlying contracts see Business/ IT Alignment SMF.
Create knowledge management policies
Key questions:
- What are the organization’s document and e-mail requirements?
- Is the business subject to eDiscovery (policies and practices for data storage, archiving, and recovery)?
- What specific laws and regulations apply to your organization in terms of proper use and management of data, both in transit and at rest? What laws and regulations apply to your organization in terms of business continuance and disaster recovery (BC/DR)?
- Do your BC/DR plans address data lifecycle management issues such as data retention, encryption, and data restoration upon return to normal operations?
- What are the document and record retention and availability requirements?
Inputs:
- Laws and regulations
- Legal posture
- Document management systems
Outputs:
- Operational knowledge management policy
Best practices:
- Ensure that your organization, along with its legal department, drives data retention requirements. The business should determine the minimum or maximum length of time data must be retained, as well as where the data must be stored (some countries have requirements about data storage locations).
- When data retention requirements have been determined, IT should evaluate the data management lifecycle and write policies to reflect decisions about the multiple ways data might be stored and used (such as backup tapes and disks, remote storage, and physical copies on paper).
Create appropriate use policies
Key questions:
- Which laws and regulations is the business subject to?
- Are non-employees allowed access to systems and data?
- Are partners allowed access?
Inputs:
- Laws and regulations
- Corporate vision
- Legal advice
Outputs:
- Operational appropriate use policy
Best practices:
- Ensure that your organization drives the creation of appropriate use policies by evaluating your organization’s standards of conduct and reflecting these standards in IT policy when appropriate.
- During policy creation, think in broad terms about allowable use of IT resources as it relates to possible reputational, security, privacy, and financial risk.
- Include your organization’s standards of conduct when evaluating policies to see that the intent of these standards is clearly reflected.
This accelerator is part of a larger series of tools and guidance from Solution Accelerators. |
Download |
Solution Accelerators Notifications |
Feedback |