IT Policies What Policies do all IT Organizations need?

November 2008 OC CIO Roundtable

Andy King, Exemplis Corporation

Table of Contents Policy Defined Some Reasons for IT Policies Where it Fits in the realm of an IT organization List of IT Policies It looks like we should all have the following

policies… Discussion Appendix

Example of an IT Policy References

Policy DefinitionAmerican Heritage Dictionary

A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters:

As an example, an American foreign policy; the company's personnel policy.

A course of action, guiding principle, or procedure considered expedient, prudent, or advantageous: Honesty is the best policy.

Prudence, shrewdness, or sagacity in practical matters.

The American Heritage® Dictionary of the English Language, Fourth Edition

Copyright © 2006 by Houghton Mifflin Company.

Published by Houghton Mifflin Company. All rights reserved.

Some Reasons for IT Policies To prevent abuse of IT resources, protect

ownership and employees Provide guidelines in decision making with

IT management Integrate with corporate governance Meet regulatory, legal, and ethical

requirements

Where IT Policies fit in an organization IT Governance Description:

Used by Boards of Directors to evaluate, direct, and monitor the use of IT in their organizations

IT Policy and Procedures Description: Used to describe specific IT related guidance

and steps to conduct work actions and decisions

IT Management Description: Used to implement business objectives in IT

using direction from CIO/Head of IT, policies, and procedures

Where IT Policies Fit

CIO

IT Governance

ITPolicies & Procedures

IT Management

Corporate Governance

CompanyPolicies & Procedures

A significant cornerstone of the IT framework

List of IT Policies* Security (see next slide for details) Network/Infrastructure Hardware Software Residential Network E-mail External Vendors

*Northwestern University Policies and Guidelines

Security Policy Data Encryption Asset Disposal Hub/Repeater/Wireless Merchant Card Processing Network Privacy Reporting a Violation Secure handling of social security numbers Use and copying of computer software Use of Computers, Systems, and Networks

List of just about every IT Policy I could find! IT Use Policy for EE’s Internet Acceptable Use Breach of Security Policy Electronic Communication Email List Server Password Server Usage Software Installation Printing VPN Wireless Network General Policy Security Data Encryption Reporting Observed Violations Asset Disposal Point of Sale

Secure handling of social security Technology acquisition, development,

and deployment of Information Technology

Bulk email approval Virus and Spyware External Vendor Visitor Access Anti-Malware Lockdown Privacy Back up and restore E-commerce Domain controller Mobile computing IT management Patch management To ensure support of Business

Continuity Planning

Do you have any others?

Appendix: Policy Examples (see handouts)

University of Michigan-Flint The University of Tennessee Murdoch University Yale University Northwestern University (Wow!) Government of Bihar (Interesting)

Services/Tools (not an endorsement)

AltiusIT BizManualz (www.bizmanualz.com)

Reference Items: http://www.itgi.org/ IT Governance Institute The American Heritage® Dictionary of the English Language, Fourth Edition British Standard ISO/IEC 38500:2008; Corporate Governance of information

technology Wikipedia: Information Technology Governance ScienceDaily: Obama and McCain’s Technology Polices Examined