You can come up with the best game plan in the world, but it will be useless until it’s put into action. In the same way, simply having an IT security policy isn’t enough; it needs to be practiced to be worthwhile.
That’s not to say that the content of your IT policy is unimportant. What goes into your IT policy matters – a lot. You don’t want to base your strategy on a bad game plan, after all. It is to say, though, that the content of an IT policy is just one component of the policy’s success.
And, the success of your IT policy is important. IT policies form the backbones of any security program. They provide direction for users and system administrators to ensure the security of networks and systems. They limit the likelihood of a successful attack or data breach.
They reduce risk, and they protect your organization.
In order to do all of that, an IT policy must be optimized in three ways: in content, in administration, and in practice.
Simply having an IT policy isn’t enough to keep your organization secure. A combination of these three components will give it a much higher chance of success.
So, what should go into an IT policy? Or, put another way: what makes the game plan good?
Every good IT policy has these components:
The first thing to iron out is the purpose of the IT policy. That may seem obvious or implied, but different objectives can shape the content of a policy considerably. Are you enacting a policy to comply with a certain set of standards – HIPAA, for example? Is it a general IT policy, created to reduce the risk of a data breach?
A clear statement of purpose will help to shape the standards contained in the policy.
It’s also essential to determine which users the policy will be targeted toward. Is the IT policy meant to apply to all network users? Do standards differ for system administrators?
Clearly identifying the audience will increase the relevancy of the standards.
Including a history of revisions in your IT policy isn’t quite as formative as the selection of a purpose and a target audience, but it can help to maintain the relevancy of the policy. After all, you don’t want to include redundant or non-current standards. A history of revisions can also help affected users to keep track of progress and note any changes.
This is the crux of any IT policy: the standards for user practices. For our purposes, we’ll use the common understanding of standards to mean: “a collection of system-specific or procedural-specific requirements that must be met by everyone.” Standards don’t refer to the entirety of the IT policy, but a policy will necessarily include IT standards.
Standards must be tailored to the needs of your organization, because each organization will have unique needs that must be addressed on an individual basis. These will typically be driven by the factors outlined above: objectives and audiences.
That being said, here are a few common issues that IT standards will nearly always address:
Having appropriate standards for these and other relevant IT issues is vital in creating a good IT security policy.
Policy administration is where the rubber meets the road.
Having someone in charge matters. A team will struggle to enact a good game plan without a coach to hold them accountable; players will do what seems best to them. Similarly, if nobody is in charge of your IT policy, nobody will follow your IT policy; with nobody to hold them accountable, users will do what seems best to them.
Administration is needed. The question is, though: who’s in charge?
Common thought may suggest that the IT department should be in charge of IT policy administration. While that’s understandable (the IT department will inevitably help to shape and carry out components of the policy), the truth is that ultimate accountability for an IT policy needs to come from the executive levels of an organization.
Company culture is always set from the top. Holding an IT department accountable for the administration of an IT security policy means segregating the priority of security to IT. Following the policy becomes something that “the IT guys” want users to do, when it needs to be something that the entire organization expects users to do.
It’s easier for a user to brush off the continual requests of an IT person than it is to brush off the demands of their organization.
Depending on the size of the organization, this may mean that ultimate accountability for policy administration falls on the CEO, the CIO, or a CISO. Regardless of the exact role, though, administration accountability needs to lie with organizational executives.
Finally, with content and administration settled, the final component to the success of an IT policy is in consistent practice – in the way the policy is carried out.
As we’ve discussed, practice does flow from administration, but there’s more to it than that. While accountability for an IT policy should come from the top levels of an organization, its enactment will nearly always be carried out by the IT department.
Successfully carrying out an IT policy generally involves:
With proper practice, an IT policy can be truly effective.
Having an IT policy is essential, but as we’ve seen, simply having a policy isn’t enough.
Create a great game plan, and don’t let it go to waste. Take the time to develop great content, administrate correctly, and put your policy into practice.
And, if you’re feeling a bit overwhelmed by the prospect of doing it all yourself, don’t worry – we can help.
In the face of constant IT fires and daily dilemmas, creating and maintaining a great IT policy can feel overwhelming. Whether you need an entire outsourced IT department or supplemental help, we can work with you to ensure that the important process of IT policy enactment is enacted properly.
Take a look at some of our solutions today, and get in touch to start putting a great IT policy into action.
IT systems are foundational to modern businesses. Too often, that foundation is unsteady. Unpredictable outages, insecure networks, and unreliable performance from mission-critical systems can jeopardize your entire business.
There’s a better way. Learn how.