Harrisburg University ISEM 547

IT Policy

Objectives

Why Policy?

Policy, Procedures, Guidelines

Writing IT Policy (Best Practices)

IT Policy Management

2

IT Policy

3

What is Policy, Procedures, Guidelines & Standards ?

Policy: are principles, rules, and protocols formulated or adopted by an organization to govern its actions.

The requirements outlined in policies, are used to control and guide important organizational decisions (e.g., managerial, financial, administrative, acquisitions, contractual, programmatic, operational, technical, etc.); within the boundaries set by them

Procedures are specific instructions to be used to implement policy requirements in a specific way; they are enforceable through the policy

Guidelines are general rules, practices, and/or instructions that can be referenced to comply with policy; they are not enforceable but recommended as best practices that should be followed

Standards: refer to something that is considered by an authority or by general consent as a basis of comparison (e.g., industry, protocols, academic, etc.)

The purpose of standards is to outline agreed principles or criteria, so that their users can make reliable assumptions about a particular product, service or practice

Standards are often referenced in policies or can be used to frame a policy

Policies should have a formal lifecycle and change management process

4

Why IT Policy is Important

Primary reasons for IT Policy:

Protecting corporate assets (keeping systems and corporate information safe)

The policy aligns stakeholders and drives desired behaviors, actions, and provides guidance on how to do things

Only written and published policy can be used to prove the company has exercised “Due Diligence” in a court of law

There may be legal or regulatory reasons a policy must be created and published (e.g., HIPAA, FTI1075, Federal Green-Book Standard, etc.)

Enable an organization to manage business risk through defined controls that provide a benchmark for audit and corrective action

Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use and system management will be ad-hoc and inconsistent

5

Features of good policy

Features of good policy usually include the following

Specific- Policy should be specific/definite. If it is uncertain, then the implementation will become difficult.

Clear & Understandable - Policy must be unambiguous. It should avoid use of jargons and connotations. There should be no misunderstandings in following the policy. Unclear policies can lead to indecisiveness and uncertainty in minds of those who look into it for guidance

Uniform- Policy must be uniform enough so that it can be efficiently followed by the subordinates.

Appropriate- Policy should be appropriate to the present organizational strategies and goals and address the intended policy objectives.

Simple- A policy should be simple and easily understood by all in the organization.

Inclusive/Comprehensive- In order to have a wide scope, a policy must be comprehensive.

Flexible- Policy should be flexible in operation/application. This does not imply that a policy should be altered always, but it should be wide in scope so as to ensure that the line managers use them in repetitive/routine scenarios.

Enforceable- Policy should be monitored with established criteria as to how it will be enforced and determine compliance

Doable- ensure that the policy can be successfully implemented and not so restrictive or costly that the mission of the organization is placed at risk.

6

IT Policy

Types of Policy

7

IT Policy Types & Domains?

Policy Types

General Program Policy: sets the strategic directions of the enterprise for global behavior and assigns resources for its implementation( e.g., conflict of interest, codes or standards of conduct, etc.)

Topic Specific Policy: addresses specific issues of concern to the organization (e.g., e-mail, Internet usage, social media, physical security, application development, systems maintenance, BYOD, etc.)

System/Application –Specific Policy: focus is on decisions taken by management protect a particular application or system (e.g., controls for financial management associated with AP, AR, business expenses; employee appraisal system, etc.)

Each ITP is categorized based on its primary subject matter. This categorization is called a domain.

IT Policy Domains

Security

Applications & Software

Architecture/Infrastructure

Services

Project Management

Procurement

IT Finance & Budgeting

8

Creating IT Policies

9

Creating IT Policy – Getting Started

Determining need for and framing a new or revisions to existing IT policy?

What is the problem or issue(s) that you are trying to solve?

Has a risk assessment been completed and validated the extent of the potential risks involved with the problem or issue(s) (e.g., financial, legal, public relations, security vulnerability, etc.) ?

How would a policy assist in remediating or mitigating the problem or issue(s)?

Can the problem or issue(s) be resolved by creating new or changing existing standard operating procedure (SOP), guideline, process, and/or training program?

How will the policy effect/impact your stakeholders?

Will this policy apply to the entire community or a subset?

10

Creating IT Policy – Getting Started

Determining need for and framing a new or revisions to existing IT policy?

Will this policy apply to the entire community or a subset?

Will this policy apply to users of a given product/service, regardless of their affiliation (e.g., O365 users, SAP users, windows machines, etc.)?

Will any costs be involved in implementing this policy?

How will your policy clarify how IS/IT does its business?

Will this policy impact your business partners and/or require contract modifications (e.g., background checks, nondisclosure agreements, security controls, product reference listings, etc.)?

Engage stakeholders and inquire as to what other factors should be evaluated and/or considered when creating this policy?

How would a policy impact customers in accessing and using your business and/or IT services?

11

Creating IT Policy – Getting Started

Determining need for and framing a new or revisions to existing IT policy?

What teams are responsible for the product and/or service area that is impacted by this policy?

Are there multiple teams? How will these teams coordinate the administration of the policy?

Will any costs be involved in implementing this policy?

Is there any other related document that you want to refer to or incorporate in your policy (e.g., procedures, guidelines, Standards, other policies, etc.)?

Who is the policy owner (considered the source of the authority for this policy)?

Who shall review and approve this policy?

Note: The some of above information may appear in your policy, but it will confirm for you whether or not you really need a policy.

12

Creating IT Policy – Getting Started

When developing policy, need to be careful in saying too much or saying too little. The more complex and detailed the policy, the higher degree of maintenance and training required

Policies should be written at a high level and incorporate standards, procedures, and/or guidelines to provide those affected by the policy with methods for implementing and ensuring compliance

When incorporating standards, ensure the standards are reasonable, relevant, flexible, and current

Conduct research for existing policy examples that can be referenced

13

Creating IT Policy – Getting Started

Consult with subject matter experts and stakeholders when drafting the policy (e.g., policy content and understanding impacts)

Do not embed the content of procedures, guidelines, and industry standards in the policy document. Should reference them but keep them as separate documents.

Sometimes, a policy has progressive discipline actions. For example, policy language can list the situation: for the first offense, you will receive sanction 1, for the second offense, you will receive sanction 2, etc. Your policy language should state that the sanctions are enforced and are in the best interest of the service provider and the larger community.

Should be written keeping in mind the features of good policy

14

Creating IT Policy - Draft

Draft the language

Now that you have your information, you are ready to write a draft.

Who will write the draft?

Don't assume that the team's content expert should be the person to write the draft.

Find out who is the most experienced writer on your team (could be the content expert) and ask that person to write the first draft.

The first draft is important because it sets the tone you want to present for the policy.

15

Creating IT Policy – Draft Suggestions

Here are some suggestions to help you write your draft:

Create a brief outline of the topics you want to cover

State clearly what your stakeholders can and cannot do

Explain how to correct an action

Include any terms that might be confusing to the customer and provide definitions

If appropriate, list any special circumstances in which this policy would not apply

If appropriate, include any time constraints (e.g., does this policy apply only at the beginning or end of the a specific business cycle, or only at tax time)?

16

Policy Elements

IT policy document should contain the following sections:

Organization Name & Logo

Policy Title

Policy Number (logical number sequence and categorized by policy domain area)

Date the policy was written

Date policy was last revised

Date the policy will be effective

Policy Statement

Purpose

Scope/Jurisdiction

Objectives

Definitions

Policy Requirements & Controls

References

The organization who is responsible for policy lifecycle management usually facilitate the creation and maintenance of polices and IT Governance Charters

17

Creating IT Policy – Suggestions

Review and get final approval

It's time to send the draft out for review.

Send the draft to the appropriate reviewers and let them know that this is a draft and that their comments are welcomed

If you receive comments that are confusing, unclear, or contradict other's points of view, consider conducting a face to face meeting to review all the comments. That way, you will ensure that everyone has heard all the suggested changes and has agreed on the revised wording.

Where appropriate, incorporate the comments and be sure you indicate these changes.

Circulate the draft again until everyone agrees on the wording

Send the policy to the approver(s) for a final approval

18

Creating IT Policy –Suggestions

Communicate to the Stakeholders

You have final approval for your policy and are ready to make it public

How do you want to promote this policy? What medium and communications channels will be used to promote the policy?

Corporate Home page or IT Intranet site, CIO newsletter, webinars, forums, visits to departments direct mail, and/or campus-wide email?

What is the timing for this policy (immediate, phased, big-bang)?

Depending on the breadth and impact of the policy, you might choose different strategies

Certain corporate and IT polices require reoccurring training certain times during the calendar year or every 2-5 years.

19

Creating IT Policy – Suggestions

Recommended bodies to use reference for IT Policies:

National Institute of Standards and Technology (NIST)

American National Standards Institute (ANSI)

Gartner Inc.

Institute of Electrical and Electronics Engineers (IEEE)

20

IT Security Policy Considerations

Every organization should have a strategy for how it will implement Information Security principles, technologies, and policies

All these require, in some form, a written IT security policy:

PCI Data Security Standard (DSS)

Health Insurance Portability and Accountability Act (HIPAA)

HITECH Act

Sarbanes-Oxley Act (SOX)

ISO family of security standards

Graham-Leach-Bliley Act (GLBA)

21

IT Security Policy Considerations

IT security polices within an organization typically encompass the following areas:

Acceptable Use

Organization Security

IT Asset Classification

Personnel Security

Physical & Environmental Security

Authentication & Access Controls (e.g., guest, employees, remote, business partners, etc.)

Business Continuity

Data/Information Security (e.g., encryption, data classification, e-commerce, DLP)

Network & Firewall

Incident Response Policy

22

IT Security Policy Considerations

Why is IT policy important? Think of a situation that could have been or can be prevented had an IT policy been in place?

List and briefly describe five features for structuring good policy?

What elements should be contained in your policy outline?

23

Group Discussion

IT Policy Management

24

IT Policy Adoption and Management

It is important to a group within the IT Organization who oversees IT Policies and performs compliance audits.

The IT policy group also coordinates with business side of the house regarding HR polices related to IT.

IT policy organization should establish policy life cycle model with processes and procedures e.g., request, create, modify, review, approve, communicate, publish, etc.)

New and/or changes to existing IT policy should require a formal review and approval leveraging IT governance entities

IT Policy Domain Workgroups or Subcommittees shall review IT polices on a annual basis to examine waiver patterns, relevancy, and alignment and recommend changes to higher level governance entity

25

IT Policy Adoption and Management

There should be a IT policy waiver process to grant exceptions on a temporary basis. The IT policy waiver process should be linked to risk management and audit compliance processes as well.

IT Policy Dashboard should be maintained to provide the stakeholder community with a transparent and high-level reporting mechanism for all IT polices currently in the governance process

Create a policy glossary to be referenced as a common standard language of terminology and definitions to ensure consistency when developing policy

Establish routine (20-day review), expedited (10-day review), and emergency (as determined by CIO or CISO) process categories to be able to make IT policy changes in a timely manor based on the situation

Leverage a robust EDMS with configurable workflow process to facilitate the IT Policy LSM processes.

26

IT Policy Adoption and Management

Policy Reference Matrix

A policy matrix should be developed and maintained; typically a source or record for the IT Policy Dashboard

This matrix maps existing policies with other policies. This provides IT policy stakeholders with a reference to what policies may affect other policies, particularly if a policy is modified or rescinded

The policy matrix captures all published policies and their current status (active, create, modify, rescinded, etc.)

The policy matrix captures information on whether a policy has Product Standards references

The policy matrix captures the IT policy Business Owner

The IT policy coordinator should review the policy matrix on a routine basis and provide the necessary revisions based on the current IT policy environment

The policy matrix is usually an internal IT document but it can be made available at the request of policy stakeholders

27

IT Policy Adoption and Management

Key Steps in IT Policy Creation

Determine Need (new policy or changes to existing policy)

Request Submission (New of Change)

Policy request and approval

Research, Evaluation, & SME consultation (Impacts, standards, exist references, requirements, scope, costs, enforceability, etc.)

Draft initial draft policy document

Stakeholder initial review and feedback on draft policy document

Evaluation and consideration of feedback/recommendations

Revisions and creation of final policy draft

Stakeholder secondary review and feedback

Evaluation and consideration of feedback/recommendations

Create signature ready IT Policy

Final Policy Approval

Communications to stakeholders

Publication

28

29

30

IT Policy Adoption and Management

Important to establish a IT policy lifecycle management program from creation to recension.

Formal process should exist for the following:

Policy Change Management

Policy Release Management

Policy Audit & Compliance Management

Policy Records Management

31

IT Security Policy Considerations

Why is it important to require new and/or changes to existing IT policy ?

What is the importance of establishing IT Policy Dashboard, Matrix, and Glossary?

What key processes should be established to support the lifecycle management of IT policies?

32

Group Discussion

Assignments

Chapter 8 (IT Managers Handbook)

Homework 4: IT Policy Management & Procedures

33

Class Profile

Student Name

English Language Learner

Socioeconomic

Status

Ethnicity

Gender

IFSP/IEP/504

Medical/Other

Age

Parental

Involvement

Internet Available

at Home

Antonio

Yes

Low SES

Hispanic

Male

No

Peanut allergy

5

Med

No

Allie

No

Low SES

Asian

Female

No

None

5

Low

Yes

Bethany

No

Mid SES

White

Female

No

Able to read at 2nd grade level

5.5

Med

Yes

Brittany

No

Low SES

White

Female

No

None

5

Low

No

Danielle

No

Mid SES

White

Female

No

None

5

Med

Yes

Diana

Yes

Low SES

White

Female

No

Visually Impaired

5

Low

No

De’Jenae

No

Mid SES

African American

Female

No

Hearing Aids

6

Med

Yes

Eduardo

Yes

Low SES

Hispanic

Male

No

1 of 6 children

5

Low

No

Emmy

No

Mid SES

White

Female

No

None

5

Low

Yes

Enrique

No

Low SES

Hispanic

Male

No

None

5.5

Low

No

Fatima

Yes

Low SES

White

Female

No

Diabetic

5

Low

Yes

Francesca

No

Low SES

White

Female

No

None

5

High

No

Frankie

No

Low SES

White

Male

IFSP

Traumatic Brain Injury

5

Very High

No

Gavin

No

High

SES

White

Male

No

Early Entrance

4.5

Very High

Yes

Isis

No

Low SES

Asian

Female

IFSP

ASD

5.5

Low

No

Jackie

No

Mid SES

African American

Female

No

None

5

High

Yes

Kenny

No

High SES

White

Male

IFSP

Emotionally Disabled

5

Med

Yes

Lisa

No

Mid SES

Native American/

Pacific Islander

Female

No

None

5

Med

Yes

Marisol

No

Mid SES

Hispanic

Female

No

Hypothyroidism

5

Low

Yes

Mason

No

Low SES

White

Male

No

None

6

Med

Yes

Natalie

No

Low SES

White

Female

No

None

6

Med

Yes

Noah

No

Mid SES

White

Male

No

None

5

Med

Yes

Shirley

No

Mid SES

White

Female

No

None

5

Med

Med

Sophia

No

Mid SES

White

Female

No

None

5

Med

Yes

Stuart

No

Mid SES

White

Male

No

Allergic to citrus

5

Med

Yes

Terry

No

Mid SES

White

Male

No

None

5

Med

Yes

Wyatt

No

Mid SES

White

Male

No

None

5

Med

Yes

Wayne

No

High SES

White

Male

IFSP

Intellectually Disabled

6

High

Yes

William

No

Mid SES

African American

Male

IFSP

Learning Disability

5.5

Med

Yes

Yung

No

Mid SES

Asian

Male

No

None

5

Low

Yes

© 2017. Grand Canyon University. All Rights Reserved

Rubic_Print_Format

Course Code Class Code Assignment Title Total Points
ECS-585 ECS-585-O500 Clinical Field Experience A: Math Lessons 50.0
Criteria Percentage No Submission (0.00%) Insufficient (69.00%) Approaching (74.00%) Acceptable (87.00%) Target (100.00%) Comments Points Earned
Criteria 100.0%
Problem Solving and Critical Thinking Skills 25.0% Not addressed. Reflection did not discuss how the lesson promoted problem-solving and critical thinking skills for the grade level. Reflection minimally discusses how the lesson promoted problem-solving and critical thinking skills for the grade level. Reflection clearly discusses how the lesson promoted problem-solving and critical thinking skills for the grade level. Reflection skillfully and concisely discusses how the lesson promoted problem-solving and critical thinking skills for the grade level.
The Prompted Importance of Communication as Part of Thinking Mathematically 25.0% Not addressed. Reflection does not discuss how the mentor teacher prompted the importance of communication as part of thinking mathematically. Reflection minimally discusses how the mentor teacher prompted the importance of communication as part of thinking mathematically. Reflection clearly discusses how the mentor teacher prompted the importance of communication as part of thinking mathematically. Reflection skillfully and concisely discusses how the mentor teacher prompted the importance of communication as part of thinking mathematically.
Enhancing Student Learning 25.0% Not addressed. Reflection does not explains what aspects of the planning or instruction of the math lesson you would augment to enhance student learning and why. Explanation is not supported with current and relevant research-based sources. Reflection minimally explains what aspects of the planning or instruction of the math lesson you would augment to enhance student learning and why. Explanation is ineffectively supported with current and relevant research-based sources. Reflection clearly explains what aspects of the planning or instruction of the math lesson you would augment to enhance student learning and why. Explanation is soundly supported with current and relevant research-based sources. Reflection skillfully and concisely explains what aspects of the planning or instruction of the math lesson you would augment to enhance student learning and why. Explanation is insightfully supported with current and relevant research-based sources.
Mechanics of Writing (includes spelling, punctuation, grammar, and language use) 15.0% Not addressed. Surface errors are pervasive enough that they impede communication of meaning. Inappropriate word choice or sentence construction are used. Frequent and repetitive mechanical errors distract the reader. Inconsistencies in language or word choice may be present. Sentence structure may not be varied. Submission includes some mechanical errors, but they do not hinder comprehension. A variety of effective sentence structures are used, as well as some practice and content-related language. Submission is virtually free of mechanical errors. Word choice reflects well-developed use of practice and content-related language. Sentence structures are varied and engaging.
Documentation of Sources (citations, footnotes, references, bibliography, etc., as appropriate to assignment and style) 10.0% Not addressed. Documentation of sources is inconsistent and/or incorrect, as appropriate to assignment and style, with numerous formatting errors. Sources are documented, as appropriate to assignment and style, although some formatting errors are present. Sources are documented, as appropriate to assignment and style, and format is mostly correct. Sources are completely and correctly documented, as appropriate to assignment and style, and format is free of error.
Total Weightage 100%

Harrisburg University ISEM 547

IT Policy Procedures

Objectives

Policy, Procedure, Guidelines, Standards

When do you need a procedure

Creating Procedures Considerations

Guides to writing procedures

2

What are Policies, Procedures, Guidelines & Standards ?

Policy: are principles, rules, and protocols formulated or adopted by an organization to govern its actions.

Procedures are specific instructions to be used to implement policy requirements in a specific way; they are enforceable through the policy. Procedures are action oriented, factual and instructional.

Procedures are often integral components in policies outlining the particular actions or steps to meet policy compliance requirements

Guidelines are general rules, practices, and/or instructions that can be referenced to comply with policy; they are not enforceable but recommended as best practices that should be followed

Standards: refer to something that is considered by an authority or by general consent as a basis of comparison (e.g., industry, protocols, academic, etc.)

Standards are often referenced in policies or can be used to frame a policy

3

Creating Procedures

4

When do you need a procedure?

Not everything or IT policy needs a procedure.

The number-one rule of procedure writing is to make sure there's a reason to create a procedure

Polices require specific processes or protocols are to be followed for compliance

Staff forget to take certain actions, perhaps they keep on getting things wrong

Tasks are so long and complex that people need guidance on doing things right

Serious consequences result when a process if done wrong

When a process or situation demands consistency

A written procedure is necessary only if the issue is important or if there will be a significant benefit from clarifying a process or outlining specific actions required for policy compliance.

5

Procedures

6

Creating Procedures - Considerations

Good procedure means understanding the process and the environment (things that influence or integrate with process)

Procedures documents will vary in specific features, based on the type of information that is detailed.

Effective procedure documents are those that have clear and consistent formatting so that readers know how to follow the material.

Paragraphs should begin and end without confusion so readers should not have to wonder where one step ends and another begins.

In describing steps: use strong action verbs, provide enough specificity and explanations to ensure that readers know exactly what to do

Embed relevant icons, images, graphs/charts, flow charts, or tables in the procedures to guide and facilitate understanding.

7

Procedures

8

Creating Procedures - Considerations

The writing style for a procedure document should rely on clear and concise language.

All procedural information should be accurate, and any acronyms should be clarified for instance, the "Food and Drug Administration (FDA)."

For procedure document that will be in circulation for some time, avoid using specific information that might become outdated quickly.

Technical language and jargon that will be unfamiliar to most, should be clearly defined (SaaS, DR, COTS, DDOS, MIPS, etc….).

9

Creating Procedures - Considerations

Effective procedure documents should be in outline format with clear headings, sub-headings, and labels (Diagrams & tables).

Those responsible for writing procedure documents are also responsible for reviewing them periodically.

If the information is not effective in helping employees, or attaining the desired outcomes; then the procedure should be revised and improved

10

Creating Procedures - Considerations

Writing a procedure that is accurate, brief, and readable isn't always easy. But, with a bit of knowledge and practice, you can learn effective procedure-writing skills.

Well-written procedures help improve productivity and the quality of work within your organization

Ensure that the people who need to use a procedure have not only read it, but also understand and have used it.

Validate procedure before publication

11

Creating Procedures

12

Creating Procedures – Starting Block

The key planning activities for writing effective procedures is to research and gain a keen understand the process that the procedure will document

Have a clear understanding of the purpose, scope, objectives, circumstances, and target audience of the procedure

Research and collect information (consulting with subject matter experts, observe and interview process owners and process doers)

13

Creating Procedures – Starting Block

Procedure document should be derived from what you have learned from the planning phase

Once the research an planning phase is complete, define the core functions being performed, associated processes and sub processes (e.g., inputs, outputs, steps, activities, logical sequencing, interdependencies, resources, location, etc.)

Integrate meaningful illustrative components such as process maps, flow-charts, outlines, examples, and value streams

14

Creating Procedures – Illustrations Helpful

15

Creating Procedures – Illustrations Helpful

16

Budget Schedule
Item Q1 Q2 Q3 Q4 Owner
Budget Analysis x x x x CFO, COO, VPs
Budget Request         VP & Department Heads
Income Statement x x x x Finance & Accounting
Sales Forecast   x     Sales & Marketing
Customer Analysis   x   x Sales & Marketing
Staffing Analysis     x   Human Resources & Department Heads

Creating Procedures – Illustrations Helpful

17

Business Systems Technical Specification Compliance Requirements
Item System 1 System 2 System 3 System 4 Owner
Technical Specification A x x x x Security
Technical Specification B x   x    N/A x   Infrastructure & Operations
Technical Specification C x N/A x x Applications
Technical Specification D  N/A x N/A    N/A Help Desk
Technical Specification E  N/A x  N/A x Enterprise Messaging
Technical Specification F  X N/A   x N/A   EDC

Creating Procedures

Core Steps

18

Creating Procedures – Core Steps

Preparation:

Conduct research

Provide a purpose statement (why this procedure)

Provide an overview of the procedure

Identify prerequisite knowledge and skills, if any

Highlight any specific issues and other precautions

Define list of recourses, systems, equipment, supplies, or parts needed for the procedure

19

Creating Procedures – Core Steps

Writing Procedure

Define a logical sequence of steps and substeps

Define decisions and decision criteria

Ensure clarity and economy of words.

Write to the level of the reader's ability

Define unfamiliar terms

Include hints and helps

Add illustrations, analogies, models, charts, pictures, workflows, tables, or anything that will aid understanding of the process and steps involved

20

Creating Procedures – Core Steps

Validate

Walk through and/or pilot test your procedure. Obtain feedback and recommendations from the target audience during this step. Is it understandable, effective, complete? Does it produce the desired results?

Revise & Revalidate

Evaluate and incorporate the feedback and recommendations and then retest and validate. Finalize the procedure document.

Publish

Issue the procedure document and establish mechanisms to periodically review to determine accuracy and relevancy as things may change within the environment or policy.

21

Creating Procedures

Procedure Document Outline

22

Creating Procedures - Outline

Title page. This includes 1) the title of the procedure, 2) identification number, 3) date of issue and last revision, 4) the name of the agency/division/branch the SOP applies to, and 5) the owner and author(s) of procedure.

Table of Contents. This is only necessary if your procedure is quite long, allowing for ease of reference. A simple standard outline is what you'd find here.

Purpose. Define the reason and rationale for the procedure. Include applicable policies, standards, and/or regulatory requirements that may be affiliated or driving need for procedure document

Scope and applicability. describe who shall follow, and how and when it's used. Include policies, standards, regulatory requirements, roles and responsibilities, and locations.

23

Creating Procedures - Outline

Overview. Provide an synopsis of the procedure and processes outlined in the document

Methodology and procedures. The meat of the issue -- list all the processes and steps with necessary details, including resources, inputs, outputs, sequential procedures, decision criteria, approvals, exceptions, and relationships to business and/or IT operations.

Clarification of terminology. Identify acronyms, abbreviations, and all phrases that aren't common.

Resources. Complete list of what is needed and when, where to find systems, equipment, supplies, etc. (If required)

References. Be sure to list all cited or significant references. If you reference other SOPs, be sure to attach the necessary information in the appendix

Appendix. Section to append additional support documentation (if required)

24

Procedures

Typically, under what circumstances do you require a procedure?

What are the core steps in creating a procedure document?

Why is it important to validate the procedure?

Does anyone use or occasionally refer to procedures in their work environment?

25

Group Discussion

Assignments

Chapter 8 (IT Managers Handbook)

Homework 3: IT Policy Management

Project 2:

Part A: Create an IT Governance Matrix

Part B: Create a Governance Charter for Enterprise Security Committee

Part C: Write a Information Security Policy for Data Classifications

26

Get help from top-rated tutors in any subject.

Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com