Organizational Policies

This document will:

  • Provide a typical organizational template which will enable management to easily build custom policies, procedures, and organizational structure which will meet the business requirements.
  • Give a high level overview of the structure of a typical organization.
  • Provide a high level overview of how the policies and procedures support and fit into the organization.
  • Provide a high level overview of IT, management, and administrative positions in the organization and their roles
  • Provide COBIT requirements in understandable statements as they relate to organizational operations.
  • Analyze the need for COBIT requirements based on their criticality related to typical organizations of various sizes.
  • Analyze the need for controls versus efficiency in the organization.
  • Provide job descriptions for various roles in the organization
  • Detail what policies affect each job role and how. This will be based on a hypothetical or typical organizational structure.
  • List Important points in each policy - Note: some items in policies are redundant such as the server security policy and system lockdown policy and server documentation policy (require list of servers and apps)

Practical Policies

Policies and procedures cannot be draconian nor obscure in order to be effective. Policies and procedures must be clear and well communicated. They must be brought to a practical level that can easily be understood by personnel who are affected by them. All staff members must understand how they affect their daily lives. Policies, together with processes, can help structure an organization very well. They will help clarify duties and roles and create repeatable processes to ensure success and increase efficiency. However policies can never be a substitute for sound judgement. Policies must allow sound judgement to prevail and encourage creativity rather than discourage it.

COBIT covers many security, quality, and control processes and considerations. However the organization must not lose sight of the reasons why these controls and processes are put into place. They are intended to protect the interests of the organization and its staff by keeping the business efficient, preventing abuse, and protecting data. These controls should be implemented in the most efficient manner and least obtrusive way possible. Many controls are intended to promote communication or prevent service downtime without notification to those who are the most affected.


When policies and procedures are developed the purpose for creating them must be kept in mind. This and the organizational structure must support the function of the business as efficiently as possible. One primary example includes the purpose of a risk assessment. One purpose for a risk assessment is to let the business manager understand the project and security risks associated with services and sign off on these risks. But the most important function of a risk assessment is to mitigate risk when it is too high so that damage is prevented. Therefore the policies and organizational processes should provide mechanisms to mitigate risk early in the project process. The exact method to accomplish this can vary from organization to organization but the point to keep in mind is that whatever policies and processes are used, mitigating risk early to prevent costly incidents and prevent redesign and rework is the purpose.

Even well communicated policies by themselves are not enough to help effectively manage an organization. Policies must be closely supported by procedures or processes. Standards should be created which provide information about expectations. Recommendations and methodologies should be provided where possible to keep the organization effective. Organizational members, when told they must follow a policy or requirement, usually look for guidance about what is expected. An example is when programmers are told that they must use a secure password reset method in their applications, they look for guidance about what methodologies are secure. The best solution is to define secure methods based upon business needs and even provide a standard library of code which developers can use to meet the requirements. This will save time and money every time an application is written which has that functional need.