Policies and Governance... I'm curious to know how others in the IT Pack think about polices and governance.
For many years I thought governance was nebulous, and "administrivia". Everything was getting done without it, right? At a certain scale, however, the lack of homogeneity caused problems - lack of communication, and inconsistent change management.
There isn't one framework for me, but several. NIST is my favorite for cyber-security, ITIL is my favorite for tying together service, incident, change and problem management.
As valuable as the policies are, even moreso is the process of sitting down with your team and discussing how things are done (they won't necessarily know) and how they *should* be done (they won't necessarily agree). That more than anything highlights the gaps in understanding and helps to smooth performance and facilitate improvement going forward.
Keep each document short and simple, avoid the trap of the "governance threes", where every action is described with three adjectives - "The purpose of this document is to ensure we implement a process that is expedient, efficient, and effective to provide information that is accurate, relevant, and timely..."
Lastly, a procedure is a step-by-step outline to be followed, whereas a policy is something that describes a behavior and consequences for deviation, usually the infamous "up to and including termination." Policies are read and understood beforehand, while procedures are referenced in the process of doing.
Policies are critical for security. For example, should people share passwords or not? Can they install their own software? Can they tweak their own settings (or install RAM in laptops if they want)? Can they bring in their own wireless access point if the signal isn't strong enough at their desk? Etc. Without policies, users can do anything and everything they want, and there are no consequences. The company wouldn't have conveyed the expectation, so there is nothing to enforce. Policies should use "shall, and will" to prescribe behaviors.
Procedures are probably more for surviving an audit, as certain audit types will require both (I'm looking at you, HITRUST). Procedures aren't necessarily work instructions, where you have a step by step list of clicks and screenshots. They are higher level descriptions of the "who, does what, when, and how (at a conceptual level)." E.g. "The security officer reviews configured firewall rules semi-annually by obtaining a current list of rules and examining each to make sure they are still in use and justified. If any are found to be obsolete or unauthorized, they are removed."
The framework is really up to you, but if you are in a regulated industry like healthcare, use one that supports HIPAA, like HITRUST. A generic framework that applies to every industry is ISO 27001. Note that clauses 1 through 10 in ISO 27001 are just as important as the list of controls found in the annex A11 through 18, and 27002 (especially if you are seeking certification).
First of all, good answers by Matt and Allen. I am most familiar with the use of TOGAF, and ITIL for various parts of policies and procedures in the areas of guidance for enterprise architecture and IT service management. Policies and procedures can often become just a check in the box, mainly because I am not convinced they really get communicated really well to the audience to ensure understanding, until someone makes a mess of something because they did not follow some documented procedure. I manage the IT perspective of the SOX controls policies and procedures for applications with a financial relevance. We are taking a fresh look at these, because the controls were a good fit for applications hosted on-premise and supported internally, but have some deficiencies with cloud, SAAS, and 3rd party support now coming into play. For example, we have to tweak some controls when true dev/ops tools and processes come into use. Controls written 5-10 years ago are lacking just a bit with the evolution of new environments and tools. Also, just to answer your first question, your policies and procedures do influence your companies culture and the values driving the culture - whether or not, that is the type of influence you intended.
It's a part of our job and I like it. Governance establishes a pattern of behavior for the organization. It helps us tell a story of what's expected of staff members. For example, NIST RMF helps us understand organizational risk and take relevant actions. IT can explain why we are doing what we are doing. Policies allow us to explain to staff and folks outside the company what we do (short and high-level doc). Processes show them how we do the work (could be lengthy and can change over time). The why, what and how tie together to help with adoption of good practices. Auditing process helps us find gaps and builds confidence in our methodology. It's an easy way to tell a story.
A year ago we put in practice a process. A few staff member questioned it. We were able to show risks prior to the process in effect and how the process mitigated that risk. We were able to tell a story in less than 5 minutes of how the process helped, what behavior was expected as per our policy and why we were doing that. Since then, it's been easier for people to buy in and they believe more in our efforts.
Governance helps with mental satisfaction for us and our business partners. When a business partner wants us to be compliant with one of their process, we can tie the process with an existing policy related to an existing good-practice/framework/regulation/law. If an issue is detected, we can improve a process and tie it to the chain - more or less like a unit test in software development.
As a State/Local Governement Managed Care Organization we are absolutely required to have a robust governance structure in place including Policies, Procedures & Plans. Obviously HIPAA/HITRUST is a factor, but we also undergo several financial audits each year as we are responsible managing $450M in state & Medicaid funding for mental health, substance use, and intellectual and developmental disabilities services in our 26 NC counties.
Eric, this is a great question. With the amount of traction we are seeing on this question, I wonder if we can serve the pack by developing a Governance Room where the community would be able to share policy and procedure forms, thoughts, ideas, etc. Would this be of interest to the Pack?
I find governance very valuable and non-negotiable. Of course, I recognize the value placed on these conversations is dependent upon where a company is in their size, growth velocity, risk appetite, and industry.
For example, a 10 person marketing company may view governance as scary, cumbersome, and unnecessarily complicated while a 5k person Fortune class firm in the finance industry looks at governance as non-negotiable.
I look at governance as the opportunity to understand fences. Within the governance framework do I have policy, standards, and procedures. How expansive the framework is needs to be dialed into your context.
For small companies that have nothing in place, I'd tend to start off discussing good behaviors like credentials, permissions, locations of assets, data, etc. After they start to understand what good behaviors are and why it makes sense to think about them, then I would tend to discuss a guiding framework like NIST-CSF, CCPA, PCI-DSS, etc. Start small.
For companies that are larger and have various things in place, but may be splintered, I'd tend to discuss the larger portfolio of things they are monitoring/managing and observe things that they may additionally consider monitoring/managing ... and during that conversation, begin fostering energy to bring things together into a unified direction. Fragmentation is a normal problem as companies grow, learn, change and figure out how to mature. Maybe they've chosen too many standards, have experienced leadership attrition creating policy discontinuity, only cover some parts of the business and not others. Choosing a focus, normalizing, expanding and maturing would be normal here. They may or may not already know which standards matter the most.
For companies that have a great governance framework in place and simply know what they are doing all of the time, I'd tend to discuss taking their existing frameworks and figuring out how to automate as much of it as possible through time. The larger the company, the more work. The more work, the more latency to get the job done (and often much, much larger staff due to manual work). They likely already know which regulatory standards apply to them, so it isn't a matter of helping them choose, but rather helping them scale.
Which standards may depend upon your industry, risk appetite, staffing size, and budget. To what extent implemented (5 policies and 10 standards versus 50 policies and 200 standards, etc.) is also dependent upon the company's level of maturity, risk, and requirements.
Governance Framework is composed of (summarily):
- Policy states what, vision
- Procedure states how, auditable steps
- Standards state behavioral and result expectations, "use this as a baseline of goodness"
- Method of audit against expectation (manual, automated, blended)
- Method of remediation against audit findings
You've touched on an outstanding conversation. My recommendation is to focus on what you want to know first. Then discuss what will help you learn said information. In the end, the data needs to lead you to decisions or it is just ceremony and noise. ;-)