In last week's post, Exploring 3 Different Types of IT Documentation, we briefly touched on policies as one of the three common types of documentation. The importance of IT policies cannot be overstated. Policies are very important as they portray an organization's stance at a high level.
As a quick review, consider policies at a general level. They are high-level guidance applicable to all departments and divisions of an organization. Policies are essentially a documented way to communicate expected behavior and appropriate use of resources.
It doesn't take much research to support the how and the why policies are important. Just from using an internet search engine alone you can find articles on the importance of policies published in the last 20 years or so. Despite the proliferation of the topic, the discussion is not even close to slowing down. There are many organizations who are simply behind in updating and creating proper information technology and security policies.
A quick example of the importance of written policies is as follows:
A manager calls a meeting and begins on a tirade about the lack of people wearing personal protective equipment. Two of the supervisors in the meeting have opposite takeaways of what the manager's rant meant. One supervisor knows it's just a rant and waits to see if there are any upcoming rule changes and the other supervisor swiftly and severely cracks down on their employees. To read more, view this PDF: Chapter 13: The Importance of Written Policies and Procedures at Michigan Municipal League. This message isn't about IT but it's an interesting read and I suggest you take a look at it.
Now, consider policies at the department level.
Once information technology and security policies are written and effected, the way is paved to developing standard operating procedures, purchasing decisions, plans, forms, and other organizational tools and decisions. Additional documentation can be created from policies as needed to help measure specific objectives. Once a clear goal has been established, it is much easier to maintain control and overall quality of technology and information services.
This is especially helpful to achieve compliance with legal and other regulatory standards.
- The Basics of an IT Security Policy by Jack G. Albright
- What Makes a Good Security Policy and Why is One Necessary? by Caroline Reyes
- What's Your Policy? by M Edwards
- How to Develop Good Security Policies by Kerry D. McConnell
Do you agree on the importance of having policies?