A recent assignment we undertook for an unnamed organisation (we’ll call them Demonstration City Council (DCC) for the purposes of this article) required us to review and conduct a gap analysis of their existing IT policy material.
In doing the analysis the most obvious gaps we identified were that DCC did not have any IT policies written for heads of department, team leaders or managers, and there were only limited policies in place for the technical team. The scope and context of their existing policies were focused on acceptable use only, therefore, people in the organisation that were required to make decisions to approve and enable access to council systems and data had no guidelines as to what the council expected of them.
After consideration the leadership team at DCC decided this issue presented a risk they needed to address and that they should work with us to mitigate it.
With the understanding that developing, delivering and managing policies in general can be a challenge, it is very important to have policies in place with the right scope and context.
The table below contains examples of the key policy statement headings that one should consider for use in a comprehensive Access Control Policy scope for:
A general user (U) – General User Policy Content
A manager/team leader (M) – Management Policy Content
A technical team member (T) – Technical Policy Content
Click Here to view a comparison chart of the sample policy content applicable to a user, a manager, and a technical person. The chart details policy statements applicable to controlling access to information systems, which is one of a number of key elements that make up a good Access Control Policy.
In a typical IT Policy System project we assist customers to develop and deliver a suite of up to 26 effective policies written in user friendly plain English. Usually up to 10 of these policies are written contextually for users, managers and technical people covering topics such as Access Control, Computer Systems and Use, Information Management and Personnel Management.
Our Policy Management as a Service offering is designed to help organisations develop, deliver and maintain the right level of IT Policy content to ensure that they have the foundations in place for a secure computing environment. The service unburdens our customers from having to do this work in house, ensure content is always up to date and that the easy to read policies are in context. Furthermore, the system incorporates a mapping of the policy content to relevant recommended international standards, codes of practice and local requirements e.g. ISO, PCI, Cyber Essentials Plus.