qualityit.net

Home Resources Tools and Techniques A Primer in IT Policy Construction and Control

09 September 2010

Security Process Professional .......... Resources for IT Audit & Security Improvement

A Primer in IT Policy Construction and Control

Compliance with Sarbanes-Oxley, HIPAA and other regulatory mandates starts with well crafted control policies. Auditors look for certain key elements in a policy to ensure reasonable effort in addressing controls correctly and comprehensively. This primer offers a quick overview in how to organize and build well constructed IT policies that can get you past the first hurdle in an audit.

Policies define controls that mitigate specific risks. Whether broad or specific, whether addressing security awareness or encryption, every policy must succinctly express the business value, risk, impacts, mitigation strategy, responsibilities and enforcement measures of the control.

Using a standard template that includes key elements will impress auditors by demonstrating a systematic approach. It will also save time by avoiding the back and forth required to clarify interpretation.

Avoid undermining your best efforts with sloppy, internally inconsistent policies that can only increase tensions and waste time. Make sure your policies achieve a consistent quality standard that meet typical auditor expectations.

Here's the link to the Primer: Policy Construction Guidelines

To ensure you have a complete body of policies covering all control domains, refer to the standards pairings found at the following link to guide you in developing a complete list of policies for your organization:

Standards Pairing Guidance

Good policy construction and selection of content only solves part of the problem. To ensure that your policy set is comprehensive, and that your policies aren't redundant or conflicting is difficult, unless a policy framework is used.

The table of contents of JANCO Associates' Security Manual Template is an excellent example of a good IT policy framework. Reference your policies logically to this well-thought out framework, or purchase the maual and use the included templates as a complete IT policy solution. You can view the table of contents and a few pages at this link:

http://www.e-janco.com/SamplePages/SecurityManualSample.pdf

JANCO also offers other useful manuals that help improve IT control. They can be viewed at this link:

http://www.e-janco.com/sox.htm

More Tools & Techniques