Five Steps for Effective IT Policy ManagementBy Phara E. McLachlan | Posted 2011-12-06 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
More information and more access mean more challenges for the enterprise.The explosion of public information accessible through cloud computing, social networking, mobile data and free software, along with intensified security and regulated compliance requirements, makes IT policy management increasingly complex and more important than ever.
Unfortunately, organizations often struggle to keep up with policy management and enforcement because it is too easy for employees, and even managers, to overstep their authority, typically without realizing it. The risk management factors alone are reason enough for establishing, communicating and enforcing effective IT policies.
Organizations may try to manage the policies, but often there is no mandated process to follow. Therefore, enterprises need to focus on managing and enforcing the policy process, not the policies themselves.
1. Create Ownership and Get the Policies Right
IT policies are necessary for the protection and efficient operation of the organization and the productivity of employees. But it is also important to carefully align policies with specific organizational needs and strategies.
The solution to making sure your IT policies are practical, adaptable and effective is the creation of a policy task force composed of key executives from every group or division affected by the policies. This creates accountable ownership of the IT policy management function. This group is responsible for creating, communicating, monitoring, changing and enforcing IT policy. Their first “task” is to develop policies based on a what the organization needs, and then to establish processes and procedures for everything from software procurement and information security to compliance and disaster recovery.
2. Centralize the Policies
Decentralization may be a great strategy for larger companies, but IT policy should not be included. There may be policy exceptions for certain situations and groups, but even they need to be centralized so they can:
• Control costs
• Optimize IT assets and productivity
• Simplify IT processes
• Remain organized and compliant over time
• Monitor and enforce employee compliance.
3. Communicate Early and Often
Internal communication is a critical factor in policy and process management. If employees don’t understand the policies or follow the prescribed processes and procedures, policies can quickly become ineffective. Here are five methods for effectively communicating IT policies and procedures:
Get Employee Input. Nothing creates support and understanding for an initiative better than direct participation. It will give employees a sense of ownership of the policies.
Build Awareness. New policies, processes and procedures should be communicated frequently via multiple venues: dashboards, email notifications, log-in prompts, newsletters, etc. Also, the policies should be easily accessible to employees at all times on the intranet and/or printed handouts.
Create Buy-In. Even if employees had a chance to voice their opinions during the early stages of planning, it is important to build support for the policies, processes and procedures by explaining how they benefit everyone. People generally hate change and despise red tape, but they will usually support changes they perceive as being beneficial to them.
Provide Education and Training. Before new policies, processes and procedures go live, provide employees with an aggressive education or training program across the enterprise to build support, create understanding and mitigate potential issues that may arise.
Ongoing Education. As organizations and external factors change, so should the policies. An ongoing effort to keep employees abreast of those changes is important.
4. Refine Policies, Processes and Procedures as Needed
The work of the policy task force is never complete. Once policies are established, the task force needs to meet on a regular basis—monthly or bimonthly at a minimum—to assess efficacy and compliance, and to make adjustments as necessary. It’s their responsibility to make sure IT policies, processes and procedures remain aligned with all the changes occurring inside and outside the organization’s doors.
5. Enforce Policies, Processes and Procedures
You’ve obtained employee input, communicated the IT policies and processes and procedures, made an effort to get buy-in and trained everyone who needs it … and there are still a few malcontents who refuse to follow any of it. A little grumbling about changes is normal, but deliberate breaches of the process should be followed by clearly communicated, unambiguous punitive consequences. Without teeth, policies and procedures will gradually be compromised and put your entire organization at risk. The task force needs to establish a hierarchy of penalties and make sure everyone is aware of them.
Phara E. McLachlan is CEO of Animus Solutions, a management and IT consulting firm she founded in 2004. She has more than a decade of management and IT consulting experience with midsize to Fortune 500 organizations.