IT Policies and Procedures
When creating Policies and Procedures it can be difficult to know where to start. Some companies have templates to help in detailing the Policies and Procedures, but remember, the goal is always to get something that is easily understood into the hands of the effected users. So, while you are developing the documents, keep in mind this question: Who needs to know What and When do they need to know it?
Something to keep in mind is the Policy is not a document, a Policy is what is allowed or not allowed in your company. When we focus on the actual rules and requirements instead of the documents, it is easier to define Who, What and When.
When creating Policies and Procedures there are several sources available to us for templates and examples such as ISO 27000, NIST, NERC, PCI, etc. It is not important that the writer of the Policies and Procedures read and know all the standards, however, as a policy writer they should at least be familiar with all of them so they know how they apply to your organization.
When starting to create the documents, begin by listing the high-level policy requirements and the regulations that they address. This can be as simple as “Users must have a password with Letters, Numbers and Non-Alpha Characters” or “All sensitive data must be secured”. This is where being familiar with the standards is helpful.
Next you need to decide who the document is for, remember you have different groups of people reading these and they don’t all need the same level of information. A Process document is usually written for management and auditors who need to see the “Big Picture”. On the other hand, Work Instructions are for the people whose job it is to perform the detailed tasks that support the “Big Picture”. While the audience for the Process document probably cares about a Purpose section in the document they are reading, this section would be redundant for the Work Instructions.
We must make sure that the Policy documents we create are understandable and to the point. A one-size-fits-all approach does not work and creating separate documents for each audience type is both time consuming and confusing to the various readers. You do not want to leave it up to the readers to decide what policies and what parts of those policies apply to them. To remedy this, you can use a table or matrix format to make things easier to understand.
For instance, your Change Management Procedure is the same for anyone that is making changes, but by using a Decision Matrix that includes network scenarios, application scenarios, and telecom scenarios, each of these types of users would understand when and how to implement the Procedure.
It is not enough just to create these Policies and Procedures and put them in a book or placed on your Intranet for all the employees to read, training must be performed so they understand the background and purpose for the Policies and Procedures. Here are some things to consider when developing and performing the training.
- Schedule multiple training sessions a year to accommodate changes and new employees.
- Make the training sessions live and interactive so that questions can be asked.
- Consider doing the training during lunch time and providing lunch to the attendees, people will make time in their day for free food.
- Ask the participants for suggestions on improving the Procedures and Work Instructions.
In conclusion, if you consider who will be reading the Policies and Procedure you are creating, it will make the task much easier for you in the end.