Implementing Policies, Procedures, and Standards Effectively

There are many policies and standards for enterprise level organizations to implement. It seems like there are so many policies, standards, and procedures that it is impossible for an organization to implement them within any reasonable expectation. Control Objectives for Information and related Technology (COBIT) from the IT Governance Institute which covers business practices along with security standards provided by the National Institute of Standards and Technology (NIST) contain practices which are almost too numerous to count. It becomes seemingly impossible for employees to be aware of all the standards, policies, and procedures that they are supposed to adhere to and even more impossible to live up to them. The question becomes, how can an organization implement these many standards effectively?

An organization may implement these many standards by bringing them home to the day to day life of each employee based on their job role. Then this performance must be audited and measured. COBIT and other very useful business tools can be very comprehensive. They may also include information which may literally save your organization. For example, if your organization depends on specific software for a critical business process and the company supporting or providing that software goes out of business, what will be the impact? If your organization follows COBIT, the software will be in escrow with a third party and your organization can gain access to the source code and support themselves or contract out the support to another third party. If your organization did not have this, then a critical business process may be permanently broken.

Despite the great usefulness of COBIT, I find that when using it to help establish business processes, it is very unwieldy. It is essentially a checklist of things that an organization should be doing or incorporating into their policies or practices but does not provide guidance in how to implement the items.

This policies and procedures guide takes the idea behind COBIT to the next step. It primarily provides template policies and procedures and aligns them to the parties affected by them. It contains policies, procedures, and standards based on COBIT and NIST along with practical experience and knowledge. It contains the most important points from COBIT but is not guaranteed to contain all items in COBIT. There are many useful standards and procedures which can be incorporated into this document and many have been created and are included. However there are many that can be added which would provide additional use to organizations and they will be added as time allows.