The explosion of public information accessible
through cloud computing, social networking, mobile data and free software,
along with intensified security and regulated compliance requirements, makes IT
policy management increasingly complex and more important than ever.
Unfortunately, organizations often struggle to keep up with
policy management and enforcement because it is too easy for employees, and
even managers, to overstep their authority, typically without realizing it. The
risk management factors alone are reason enough for establishing, communicating
and enforcing effective IT policies.
Organizations may try to manage the policies, but often
there is no mandated process to follow. Therefore, enterprises need to focus on
managing and enforcing the policy process, not the policies themselves.
1. Create Ownership and Get the Policies Right
IT policies are necessary for the protection and efficient
operation of the organization and the productivity of employees. But it is also
important to carefully align policies with specific organizational needs and
strategies.
The solution to making sure your IT policies are practical,
adaptable and effective is the creation of a policy task force composed of key
executives from every group or division affected by the policies. This creates
accountable ownership of the IT policy management function. This group is
responsible for creating, communicating, monitoring, changing and enforcing IT
policy. Their first “task” is to develop policies based on a what the
organization needs, and then to establish processes and procedures for everything
from software procurement and information security to compliance and disaster
recovery.
2. Centralize the Policies
Decentralization may be a great strategy for larger
companies, but IT policy should not be included. There may be policy exceptions
for certain situations and groups, but even they need to be centralized so they
can:
• Control costs
• Optimize IT assets and productivity
• Simplify IT processes
• Remain organized and compliant over time
• Monitor and enforce employee compliance.
3. Communicate Early and Often
Internal communication is a critical factor in policy and
process management. If employees don’t understand the policies or follow the
prescribed processes and procedures, policies can quickly become ineffective.
Here are five methods for effectively communicating IT policies and procedures:
Get Employee Input. Nothing creates support and
understanding for an initiative better than direct participation. It will give
employees a sense of ownership of the policies.
Build Awareness. New policies, processes and procedures
should be communicated frequently via multiple venues: dashboards, email
notifications, log-in prompts, newsletters, etc. Also, the policies should be
easily accessible to employees at all times on the intranet and/or printed
handouts.
Create Buy-In. Even if employees had a chance to voice their
opinions during the early stages of planning, it is important to build support
for the policies, processes and procedures by explaining how they benefit
everyone. People generally hate change and despise red tape, but they will
usually support changes they perceive as being beneficial to them.
Provide Education and Training. Before new policies,
processes and procedures go live, provide employees with an aggressive
education or training program across the enterprise to build support, create
understanding and mitigate potential issues that may arise.
Ongoing Education. As organizations and external factors
change, so should the policies. An ongoing effort to keep employees abreast of
those changes is important.
4. Refine Policies, Processes and Procedures as Needed
The work of the policy task force is never complete. Once
policies are established, the task force needs to meet on a regular
basis—monthly or bimonthly at a minimum—to assess efficacy and compliance, and
to make adjustments as necessary. It’s their responsibility to make sure IT
policies, processes and procedures remain aligned with all the changes
occurring inside and outside the organization’s doors.
5. Enforce Policies, Processes and Procedures
You’ve obtained employee input, communicated the IT policies
and processes and procedures, made an effort to get buy-in and trained everyone
who needs it … and there are still a few malcontents who refuse to follow any
of it. A little grumbling about changes is normal, but deliberate breaches of
the process should be followed by clearly communicated, unambiguous punitive
consequences. Without teeth, policies and procedures will gradually be
compromised and put your entire organization at risk. The task force needs to
establish a hierarchy of penalties and make sure everyone is aware of them.
Phara E. McLachlan is CEO of Animus Solutions, a management
and IT consulting firm she founded in 2004. She has more than a decade of management
and IT consulting experience with midsize to Fortune 500 organizations.
IT Management 
