Friday, July 20, 2012

Policies and Procedures

As a CIO, I've been writing policies, guidelines, and procedures for a long time.  My technical background did not prepare me to write these kinds of documents.  I suppose my general education and business background did provide some preparation.  I worked in a law firm many years ago and had to write guidelines for staff members that satisfied the partners (who had a high writing standard).  I have a Master's in Public Administration and we covered many similar topics in that program.  Still, I've never really studied "writing information technology policy."  For a while I've been thinking we need a uniform policy and compliance guideline, but I'm not sure who could write it.

Several years ago, Rodney Petersen wrote a useful article for Educause Review:  
 “A Framework for IT Policy Development” (

Another useful piece from the Educause is by M. Peter Adler
: "A Unified Approach to Information Security Compliance"

This SANS chart is good, but you have to interpret it for policies:

This week I attended the Educause Campus IT Policy Workshop, led by Greg Jackson, Educause Vice President, Policy, Jarret Cummings, Educause Policy Specialist, and Kent Wada, Director, Strategic IT Policy and Chief Privacy Officer, UCLA.  This was truly a workshop, with strong presentations followed by case studies and discussion.  Links and materials to useful references were provided.  The event was a positive learning experience, even for someone who has been writing policy for a while.

As a result, I came back and reviewed our university policy template again.  Our university policies are posted here:  Our information technology policies exist within the university framework, but I isolate them on our web site for presentation with other procedures and guidelines:    

I'm in the process of updating a half dozen policies to incorporate feedback from the external PCI auditor.  I am trying to organize my "policy thinking" and I am going to try to bring some consistency to the documentation. The PCI auditor had recommended that we separate all PCI elements into one PCI policy, but after the workshop, I am more convinced that the separate policies that are IT-centric still makes more sense, particularly for a university.  Too many components for regulatory compliance overlap.  It doesn't seem to make sense, for example, to have separate policies for FERPA, HIPAA, and PII data, when it all comes down to information and data security.  I also want to create policies that are not obstacles to what the university is trying to accomplish.

Once a policy is developed, our review and approval process is described here:  It is quite of bit of work to shepherd a new policy or a policy update through the process, but it is worthwhile. You hear different perspectives and sometimes you realize the policy needs to be worded differently.  Shepherding a policy also presents an opportunity to get support for the policy, particularly when the subject matter is difficult.

To help organize my thinking, I've created a checklist, posted here:  Policy Checklist

Anybody want to talk Policy?