A discussion with a recently hired CISO for an insurance company revealed the last time policies and controls for IT were reviewed was two years prior to her arrival. When she first attempted to engage managers in a top-down review of policies, everyone ignored her, including IT.
After finding support from the chief legal counsel, the CIO, the chief of internal audit and the audit committee, the company conducted its first formal review of its IT policies in more than five years, despite yearly SOX and GLBA audits.
Sound far-fetched? It’s not, based on the experience of others: this CISO had the support of management, others do not.
Do Your IT Policies Matter?
IT policies span a range from human-readable management policy to business procedures and machine-level policies and controls implemented in IT. Understanding the difference between these and aligning them with the risk and reward culture of the organization, while staying on-top of regulatory and legal mandates is a task not done frequently enough.
The Boundaries of the Playing Field: Managements Voice
Management policies are like the boundary lines for a sporting event (European football, Brazilian football, US soccer, Canadian hockey, US football, Pakistani Cricket, Japanese baseball, French tennis, the idea is the same). When the ball goes outside the boundary markers, it means play is dead. Inside the boundary markers and the players can continue playing, albeit with the addition of other rules and controls that keep the game moving on a level playing field. Examples of these include three strikes and you’re out in baseball or offside passes in the World Cup.
The rules for what constitutes the size, shape and location of the boundary-markers for IT policies are management responsibilities and prerogatives. These are the easy “directive” policies that management sets. The hard ones are the policies and controls for what happens on the playing field inside the boundary markers: which is why management policies and directives are critical.
On the Field of Play
The rules of play on the field should reflect managements’ directives. Whether it is business procedures, access to information, protection of customer data, protection of sensitive organizational information, or the availability and protection of critical IT assets, the policies (and controls) set out for business procedures and those implemented in IT, should fit hand-in-glove with value and risk management objectives of the organization.
Commonly referred to as procedural and technical polices (and controls), the primary distinctions between the two include:
– Procedural polices and controls are the human-readable policies governing how people use information systems to execute business objectives
– Technical policies and controls are the hard-coded policies and controls that are implemented in applications and IT assets.
Do management policies for IT matter?
Based on research conducted with thousands of organizations, management policies for IT matter quite a bit, and the findings show very marked differences in terms of outcomes being experienced and what is emphasized — or not — by organizations.
Organizations experiencing the best outcomes (highest revenue, profit, least business downtime, fewest problems with audit and least loss or theft of sensitive information) actually implement management policy for IT very differently than do their peers and most other organizations.
Some notable differences among the worst performing organizations include:
• An utter lack of polices for the business risks related to the use of IT
• Little to no guidance for minimum acceptable service levels
• No monitoring or reporting standards are defined
• Non-existent or few policies and controls for business procedures
The differences starkly illustrate the impact that management direction for IT policies and controls — or lack thereof — has on revenue, profit, customer retention, business downtime, data loss or theft and audit deficiencies.
However, the differences shown in the table are not the only ones found from research conducted with thousands of organizations. Other policies and controls that are consistently not implemented among the worst performing organizations include those governing:
• Acceptable use standards
• Information processing facilities
• Acquisition, use and disposition of IT assets
• Application development, testing and development
• Access to information and IT assets
• Incident response and problem management
• Change management
• Accreditation and acceptance
• Maintaining a history of the changes to policies and controls
Which IT policies are most important?
Management policies are critical. These set the tone and direction from the top, as the practices (and outcomes) of the best performing organizations attest. Those that define the boundaries of play, especially minimum acceptable service levels and maximum acceptable risk, are critical. It is the tradeoffs that are made between these two that are guided by an organizations value and risk culture, and the legal and regulatory mandates in whatever geographies the organization operates.
Which IT policies do you need to improve?
For some organizations, improvements to IT policies and controls may be a tuck-here or a slight change there. For a few it may be a start-from-nothing exercise. But for a majority of organizations, some practices for IT policies and controls may close enough while others will need to be improved.
When should you review IT policies and controls?
If your organization is anything like the Insurance company that had not reviewed its IT policies (and controls) in more than five years, it’s probably time to undertake the effort. Even if these were reviewed in the past year, it’s still time to conduct the review: changing business, regulatory and legal conditions in operating geographies dictate more frequent reviews.
And, if it’s any indication, the best performing organizations review policy and controls at least quarterly, supplemented by daily, weekly and monthly updates from assessments and reports to gauge the effectiveness of policy and controls.
Assess Your Practices — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.
Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.
Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit
Time to value: minutes
Benchmark universe: more than 4,000 other organizations
Visit: www.ITPolicyCompliance.com/Assessments to find out more
Related research
Automation, Practice and Policy in Information Security for Better Outcomes
http://www.itpolicycompliance.com/research_reports/
How the Masters of IT Deliver More Value and Less Risk
http://www.itpolicycompliance.com/research_reports/
What Color Is Your Information Risk – Today?
http://www.itpolicycompliance.com/research_reports/
ITPCG blog 