Policies and Procedures can often feel overwhelming and daunting.
In the realm of IT, there is often a feeling that there are policies for the sake of having a policy and that writing or implementing policies can get in the way of work that needs to be completed. An IT department can have well over 80 policies ranging from system policies, backup policies, security policies, Disaster recover policies, encryption policies, access control, risk management… the list can seem endless. For this blog I won’t even mention the number of guidelines that are within a department!
Reviewing and maintaining these policies can often feel burdensome and can consume vast amounts of time. In health centers an IT department have to review policies and procedures a minimum of twice a year for third party audits. (One for HIPAA compliance and a second for Financial Audits) Many companies also review and/or update polices and procedures every other year to show that the policies remain constant.
This often becomes problematic because most IT departments are staffed to meet the current needs and do not have a designated security officer so the role is split or designated to the department head. This approach structurally makes sense for a company because it puts the assignment on the person who runs the department and is the companies subject matter expert, but this approach can leave unwanted exposure.
It is a given that it’s hard to stay on top of the many policies/standards in place. Whether its NIST, ISO, COBIT, or implementing a Risk Management Framework… there are many for IT alone, not to mention to standards and policies IT has to help other departments adhere to.
I’ve seen many departments find policies or try to adopt best practices from other companies. This is often done because a department is lacking a policy and has to get one in place quickly to meet the need of a current audit. While this often meets the requirement, the policy often does not align with how the company is actually operating. When this happens, a policy was put in place just to make sure there was a policy.
Unfortunately, the above approach doesn’t work. Policies are in place for a reason. These policies set a structure for the department and the policies need to align with how the department actually functions. When a policy and what is practiced within a department don’t align, mistakes can be made leaving a company exposed.
For example, let’s explore Backup Policies:
In this scenario, we will say a company states that there is one backup up policy and that there are incremental backups Sun – Fri, a full backup every Saturday and One full backup is kept for a month.
There are a lot of considerations to be made with a backup policy. If the policy above is stated that it is for the entire company that would mean that it would apply to all systems in the company. A blanket policy like the one above would lead me to ask several questions. For instance, some systems can have terabytes of data. Do all systems abide by this policy? Is there another policy stating that the department tests the backups with a restore? What accounts have access to the backups? Are the backups encrypted? Is there also a secondary offsite location for disaster purposes?
As I mentioned, Policies and Procedures can be complex and often times difficult to make sure the policies align with what is practiced, but they are important and necessary for an organization. If there is a disaster, the policies also let everyone know the steps to follow during and after an event. Other policies let management know what is expected and should be happening within the company on a day to day basis.
Are policies tricky? Sometimes.
Are they necessary? Definitely.
Interested in learning more?
If your business needs help with policies or would like help making sure your policies align with what’s being practiced; We encourage you to contact us:
Toll Free: 800-940-0040