The explosion of public information accessiblethrough cloud computing, social networking, mobile data and free software,along with intensified security and regulated compliance requirements, makes ITpolicy management increasingly complex and more important than ever.
Unfortunately, organizations often struggle to keep up withpolicy management and enforcement because it is too easy for employees, andeven managers, to overstep their authority, typically without realizing it. Therisk management factors alone are reason enough for establishing, communicatingand enforcing effective IT policies.
Organizations may try to manage the policies, but oftenthere is no mandated process to follow. Therefore, enterprises need to focus onmanaging and enforcing the policy process, not the policies themselves.
1. Create Ownership and Get the Policies Right
IT policies are necessary for the protection and efficientoperation of the organization and the productivity of employees. But it is alsoimportant to carefully align policies with specific organizational needs andstrategies.
The solution to making sure your IT policies are practical,adaptable and effective is the creation of a policy task force composed of keyexecutives from every group or division affected by the policies. This createsaccountable ownership of the IT policy management function. This group isresponsible for creating, communicating, monitoring, changing and enforcing ITpolicy. Their first ?task? is to develop policies based on a what theorganization needs, and then to establish processes and procedures for everythingfrom software procurement and information security to compliance and disasterrecovery.
2. Centralize the Policies
Decentralization may be a great strategy for largercompanies, but IT policy should not be included. There may be policy exceptionsfor certain situations and groups, but even they need to be centralized so theycan:
? Control costs
? Optimize IT assets and productivity
? Simplify IT processes
? Remain organized and compliant over time
? Monitor and enforce employee compliance.
3. Communicate Early and Often
Internal communication is a critical factor in policy andprocess management. If employees don?t understand the policies or follow theprescribed processes and procedures, policies can quickly become ineffective.Here are five methods for effectively communicating IT policies and procedures:
Get Employee Input. Nothing creates support andunderstanding for an initiative better than direct participation. It will giveemployees a sense of ownership of the policies.
Build Awareness. New policies, processes and proceduresshould be communicated frequently via multiple venues: dashboards, emailnotifications, log-in prompts, newsletters, etc. Also, the policies should beeasily accessible to employees at all times on the intranet and/or printedhandouts.
Create Buy-In. Even if employees had a chance to voice theiropinions during the early stages of planning, it is important to build supportfor the policies, processes and procedures by explaining how they benefiteveryone. People generally hate change and despise red tape, but they willusually support changes they perceive as being beneficial to them.
Provide Education and Training. Before new policies,processes and procedures go live, provide employees with an aggressiveeducation or training program across the enterprise to build support, createunderstanding and mitigate potential issues that may arise.
Ongoing Education. As organizations and external factorschange, so should the policies. An ongoing effort to keep employees abreast ofthose changes is important.
4. Refine Policies, Processes and Procedures as Needed
The work of the policy task force is never complete. Oncepolicies are established, the task force needs to meet on a regularbasis?monthly or bimonthly at a minimum?to assess efficacy and compliance, andto make adjustments as necessary. It?s their responsibility to make sure ITpolicies, processes and procedures remain aligned with all the changesoccurring inside and outside the organization?s doors.
5. Enforce Policies, Processes and Procedures
You?ve obtained employee input, communicated the IT policiesand processes and procedures, made an effort to get buy-in and trained everyonewho needs it ? and there are still a few malcontents who refuse to follow anyof it. A little grumbling about changes is normal, but deliberate breaches ofthe process should be followed by clearly communicated, unambiguous punitiveconsequences. Without teeth, policies and procedures will gradually becompromised and put your entire organization at risk. The task force needs toestablish a hierarchy of penalties and make sure everyone is aware of them.
Phara E. McLachlan is CEO of Animus Solutions, a managementand IT consulting firm she founded in 2004. She has more than a decade of managementand IT consulting experience with midsize to Fortune 500 organizations.