Writing effective IT standards (also often referred to as policies) can be a challenge, especially if this is not something one does on a frequent or permanent basis. Once written, standards then need to be maintained ongoing to then stay relevant or current.
Two of the more common pitfalls associated with writing and maintaining IT standards are:
- Statements often contain process or procedural detail.
- Standards maintenance occurs infrequently.
The following highlights our findings as to why these are a challenge to the authors and their organisations.
Statements often contain process or procedural detail.
Before creating or editing a standards statement the author should have in mind that the statement outlines “What we do” not “How we do it” – a standards statement is used to define a behaviour we wish for the reader to achieve. A procedure describes how a standard should be implemented and may also fully detail the steps to be taken and who is responsible for taking those steps.
The impact of not keeping statements “pure” is widespread. Examples being:
- A complex standards statement that contains process or procedural detail will result in a confused user who therefore may not adopt the desired behaviours.
- A focus on “pure” statements will make for better information governance discussions and make it easier to craft any overarching policy statement for sign off at executive level – less meetings to discuss standards and policies are a good thing!
- Cross referencing to relevant industry standards such as ISO27002 is easier to accomplish and should result in adherence to best practise.
Standards maintenance occurs infrequently.
Our findings are that most Local Authorities, on average, do a review and refresh of existing IT standards on a 3-5 year cycle, however, with so many other pressures on day to day activities, very few actually keep to that schedule.
On the basis the housekeeping of IT standards doesn’t occur more frequently (every 12 months) then the amount of work required to keep them current grows year on year. If left untouched then beyond a 3 year period a laborious and time consuming exercise to review and refresh them will entail.
The impact of infrequent unstructured housekeeping can result in some of the following outcomes:
- Editing – If a standards statement is already complex or not already well worded then whoever inherits any subsequent editing work may find it difficult to keep the statement and wording contextual. Re-writing a policy starting from scratch is often the resulting approach.
- Outdated – The original wording and terminology used to define a standard is outdated and requires it to be edited or completely re-written after initially reading and reviewing.
- People intensive – When the amount of change required is significant, stakeholder meetings may need to be scheduled to get input, approval and sign off for those standards statement changes.
- Gaps – with constant shifts or changes in technology and how it is used there is an ongoing requirement to develop new standards and review existing coverage. Big gaps are likely to appear in terms of standards coverage without more frequent housekeeping.
If your organisation has a desire to show adherence to industry standards, for example ISO and PCI, then the work to cross reference these standards, once you have addressed the coverage issue, will require a significant investment of time also.
Keeping Standards Pure is something our Wordsmiths excel at.
The Protocol Policy System has been designed to take the pain away from defining, deploying and maintaining IT security standards and policies. Key people in an organisation that need to ensure IT risk and governance is well managed can therefore focus on other priorities.
Our system is priced to be cost effective and provides a level of cross referencing to best practise industry standards that would not be normally achieved if managed internally by the organisation.
Furthermore our customers often comment that having expert advice available to guide them through a project (including a 2 day review) is the best two days they have ever spent as it provides them with an introspective view of the current environment. Taking away the ongoing housekeeping headache means that standards statements are consistently well written, easy to understand, current and relevant.
Click here to read about Swindon Council who recently undertook a project to develop their strategic IT direction and it was evident that their existing IT policies were out of date, not comprehensive enough and would not be suitable for use in the future.
To discuss how we have assisted Local Authorities develop, deploy and maintain their IT standards – contact firstname.lastname@example.org