Organizations know that policies are critical to any mission. How do you handle data? How to do you navigate surprise incidents or emergency changes? How do you secure critical information?
Governance is a key element of the service value system—that is, the way you create and deliver value to your customers. The ISO/IEC 38500:2015 standard for governance of IT departments and organizations defines IT governance as the system by which the current and future use of IT is directed and controlled.
According to ITIL® 4, this direction usually comes in two forms: strategies and policies.
- Strategies set priorities for business activities and investment.
- Policies establish the requirements for how everyone across the organization handles certain practices, including suppliers, partners, and other stakeholders where relevant.
Strategies are typically spelled out from the CEO and executive leadership. But what are the policies that an organization needs to have in place in other to succeed? Experts suggest a few IT areas that need policy.
Let’s take a look.
What are policies?
Policies are the framework and constraints (guardrails) within which employees can strive for individual and collective success. ISO vocabulary defines a policy as:
“Intentions and direction of an organization, as formally expressed by its top management.”
Developing IT policies
In IT, the scope for policies covers many areas, ranging from high-level, organization-wide policies to specific topical policies that likely affect only IT employees. When developing policies for your organization, consider:
- Aims and objectives of your organization
- Strategies adopted by your organization
- The target group for the policy
- Structure and processes of your organization
When it comes to policy content, the VeriSM™ service management approach provides three simple clear questions that your policies must answer:
- Why is this necessary? Be very clear (within one sentence) as to what the policy objective is.
- What needs to be achieved? Don’t explain how you’ll achieve this policy. The related process and/or procedures will do that (provide reference links, if available). Instead, explain the conditions of the policy—what must occur.
- How I will know if this is done and it works? Define appropriate measurements to demonstrate compliance. SMART goals will help you get there.
Critical IT policies
So, what are the most critical IT Policies? The ones your business must have? Well, each organization is different. What’s critical to one may not be the same for others.
The golden rule in governance has long been that we cannot outsource oversight.
Most organizations embracing digital transformation have outsourced the need to maintain IT infrastructure and platforms—this used to take up significant policy effort. Depending on your organization’s maturity, you may no longer need many I&O policies, for instance.
If you do have a cloud strategy, it’s likely that your policy focus has shifted to service and data layers. This is where most interaction with technology is now happening, especially when it comes to app development. But that doesn’t mean that you can neglect the underlying layers. Instead, you’ll likely pivot to areas like security and billing.
(Interestingly, most modern app development approaches align to the agile manifesto, which de- emphasizes processes and comprehensive documentation, two elements that are traditionally the bedrock of policies.)
When we look at standards, here’s what we see. The ISO/IEC 20000:2018 standard for Service Management defines only three policies defined that any IT organization should maintain:
- Service management policy
- Change management policy
- Information security policy
You might be wondering about other policies that seem critical.
The Info~Tech Research Group defines other policies that IT organizations need to put in place. These include:
- Enterprise Architecture policy
- Data Management policy
- Asset Management policy
- Purchasing policy
Your organization may need policy in all seven of these areas; or, maybe only four are appropriate. We’ll briefly look at each one here, then point you to more resources about these practices.
Service Management policy
This policy establishes the framework of setting service management objectives in line with the organization’s purpose. This policy includes:
- Commitments to satisfy applicable requirements
- Commitments to continually improve the organization’s service management system and services
It is the definitive top management commitment to service management, aligning directly with ISO/IEC 20000 requirements.
Without it, there is no evidence of service management direction from the leadership, potentially leading to a disjointed approach to service management activities across the organization.
(Check out what’s happening in service management today.)
Change Management policy
The intention of a change management policy is to maximize the number of successful service and product changes by ensuring that you’re properly assessing risk, authorizing changes to proceed, and managing the change schedule. (In ITIL 4, this policy is renamed to change enablement.)
The policy defines:
- Service components and other items that are under the control of change management
- Categories of change and how they are to be managed
- Criteria to determine changes that have potential to have a major impact on customers or services
Without this policy, risks of unplanned service disruption or bureaucratic hurdles to smooth change execution are likely to occur (exactly when you don’t need them).
Information Security (InfoSec) policy
This policy spells out the required posture to secure the availability, integrity and confidentiality of business information on IT systems from potential risks, through appropriate controls that align with organizational and regulatory requirements.
For the most part, any Information Security policy comes with a lot of sub-policies covering different topics as per controls, including, among others:
- Risk assessment
- Access management
- Acceptable usage
- Password management
- Information classification
- Disaster recovery
With cyber security risk becoming the #1 focus for most digital organizations, absence of this policy is itself a risk. Without coordinated effort to secure data, your organization’s existence is threatened if a significant attack occurs.
Enterprise Architecture policy
The Enterprise Architecture policy outlines how IT supports the business mission and operations, through alignment and prioritization of IT strategies and initiatives. It also includes guidelines for designing, planning, implementing, and governing enterprise IT architecture.
Without this policy, your organization risks increased costs and poor performance.
Data Management policy
This policy focuses on the management and governance of data assets—i.e., documents, databases, and application data files—with a strong focus on data protection and privacy.
Without this policy, you’re risking the misuse, loss, regulatory penalties, or lost opportunity from data usage.
Asset Management policy
This policy provides guidelines on activities involved in the asset lifecycle, from acquisition, tagging, deployment, usage, maintenance, withdrawal, and disposal.
Absence of this policy would impact the organization financially because you’re not maximizing the ROI of your assets—and you may even be taking a loss.
This policy provides guidance on acquisition of service components required for delivery of IT services, ensuring value for money and holding suppliers to their contractual commitments.
Without it, the organization can be impacted financially by poor decisions that could lead to:
- Material loss
- Poor third-party service delivery
Choosing IT policies
Whether it is because of compliance with regulations, need for internal controls, operating requirements, or risk management, the need for IT policies cannot be understated.
With the ever-evolving technology landscape and the strategic drive for digital transformation, ensuring that sound policies that shepherd, not constrain, good practice are an essential ingredient of maturity and excellence for any IT outfit.