Monitoring and evaluation of an IT policy begins
from the time of writing the policy itself. While most organizations are well
aware of how to write a policy, it is also important to understand how this
policy is going to be monitored.
An important aspect which organizations have to keep
in mind while drafting a policy is to make sure that all parties who are going
to be impacted are involved in writing the policy. Keep the policy in pure
English and avoid too many legal, complicated and heavy words. Also the policy
should clearly define all the teams who would need to use this policy. Hence many policies have terms like “This policy
impacts all teams that are related with network security…etc”. The policy needs
to be clear and leave no scope for ambiguity. While it is accepted that the
policy cannot cover all practical scenarios, it should also guide the user regarding
the DOs and DON’Ts for scenarios they may encounter.
It is very important that the IT policy makers
go through ITIL management processes and policies. ITIL provides policies and
concepts for operations management and IT infrastructure development. Another
important aspect and often much neglected is training. It is very important
that all parties who are going to be impacted by the policy are clear about
what is expected and how the policy will be implemented. They also need to know
how this will be evaluated so that the evidences and data is compliant and
stored in a format as desired / required for evaluation.
This will also help in monitoring the
effectiveness of the policy. While drafting a policy, care should be taken to define
what data will be recorded to measure the effectiveness of the policy. The
organization should have clear guidelines and what aspects will be measured for
all the teams impacted by the policy.
- How will the data be gathered
- Who will be responsible for data / evidences required
- How will the data be analyzed
- How the reporting methodology will work
Reporting should not just be for the sake of
compliance. It should also help top management in understanding if the policies
implemented are actually helping the teams in performing their work more
effectively. They should be able to analyze if the policy implemented is in
line with the overall organizational goals and is helping them get there
faster. The data should also help in identifying what improvement measures need
to be implemented or what corrections need to be made in policy to rectify any deficiencies.
The benefits of measuring the effectiveness of
the policy are many. The basic advantage is that it will help senior management
in measuring compliance to various initiatives. Also since all stakeholders would ideally be
involved in drafting policies, much effort is spent. Measuring the effectiveness
helps management understands if they are getting the ROI expected from this
investment. The feedback received on the policy will also help in drafting
future polices.
About Author:
Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at kintu.r@spluspl.com
No comments:
Post a Comment