Jorge Carrillo, Ph.D., CISA, CISM, CISSP
Privacy and IT policies have a lot in common: Both are considered important; organizations are concerned about not having them, but not everybody fully understands the implications and consequences if they are wrongly understood. Privacy and IT policies are concepts that evolve—what is an acceptable policy today (or what is considered a privacy concern) may not be a satisfactory practice tomorrow. Similarly, COBIT has evolved from an audit framework in 1996 to a governance and management of enterprise IT (GEIT) framework in 2012, presenting, among other aspects, policies as fundamental factors for influencing proper governance and management over IT.
This article presents a modern approach for designing a policy framework using COBIT 5 principles, which provide a robust and systematic approach to ensure that policies are used as instruments to implement accepted business strategies. A policy framework provides a logical structure for organizing and defining policies. It also establishes additional documentation that supports the policies’ implementation and enforcement.
The objective of this article is to provide a structured methodology for assisting organizations in developing and implementing an effective policy framework.
IT policies help organizations to properly articulate the organization’s desired behavior, mitigate risk and contribute to achieving the organization’s goals. The evolution of IT policies can be illustrated by comparing the following two documents: Generally Accepted Principles and Practices for Securing Information Technology Systems1 and Information Security Handbook: A Guide for Managers.2
The first one, published in September 1996, states that a policy should, among other aspects, define and specify rules for particular systems. The second one, published in October 2006, defines a policy, in the context of information security, as an aggregate of directives, rules and practices that prescribe how an organization manages, protects and distributes information.
Configuration and standardization of IT systems and infrastructure were priorities in 1996. After 10 years, organizations realized that taking advantage of IT requires proper management and governance of information resources.
Further, it has become apparent that failure to design and implement robust business processes more quickly renders technology-based controls ineffective. For example, the Verizon 2011 Payment Card Industry Compliance Report3 points out that organizations struggling to meet Payment Card Industry Data Security Standard (PCI DSS) requirement 12 (maintain security policies) fail to drive practice and successfully implement other PCI requirements.
Creating IT policies in a changing environment is not a straightforward task but often a necessary one. Organizations might not fully appreciate advantages, limitations and risk factors of emerging technologies; for instance, choosing a cloud computing solution requires management of the associated risk and empowerment for a route to create business value in an environment full of uncertainties.
IT policies are not an IT-only activity. Incorporating IT principles with end-to-end business processes ensures better coverage and cooperation across the enterprise (i.e., responsibilities and authorities are clearly defined), reduces duplication of controls across different teams, and provides a consistent approach to address business requirements.
Finally, as illustrated in the Information Security Management Handbook, the core of any business is its people—their individual attributes, including integrity, ethical values and competence.4 Therefore, policies should be communicated, understood, supported and accepted by everybody; otherwise, they are meaningless.
COBIT 5 introduces seven enablers (see figure 1) as support tools for the implementation of GEIT.5 The four dimensions (stakeholders, goals, life cycle and best practices) of the enabler Principles, Policies and Frameworks are discussed in the following sections and suggestions for a systematic method of designing and implementing a policy framework are provided.
COBIT 5 ensures that a policy framework meets stakeholders’ needs, covers the end-to-end process (and not only the IT function), and establishes the additional documentation required to ensure that governance and management goals and activities are achieved.
Stakeholders DimensionThere are stakeholders who define and set policy principles, and there are others who follow, adhere to or implement such principles.
The first group of stakeholders defines and sets policy principles, taking into consideration general organizational governance principles and analyzing and identifying internal and external factors (e.g. regulation), business direction, and organizational culture. The organization’s board of directors and executive management belong to this group. They are, in addition, accountable for giving direction about, communicating on and implementing governance objectives, and for defining the core components of a policy framework.
The core components of a policy framework are:
The fear, uncertainty and doubt of the other stakeholders are reduced by following policy principles.
Goals Dimension Goals are statements, based on the policy principles defined previously, that describe the desired outcome. Examples of goal statements are:
As far as policies are concerned, goals and policy principles should be related in order to provide assurance that stakeholders’ requirements are addressed.
Life Cycle Dimension The policy life cycle combines the policy principles and goals defined previously and includes the following phases:
Good Practices Dimension The separation of governance and management activities points out the need for more specific guidance on how policy principles are implemented and managed. A good practice is to create additional documentation to support policy effectiveness and efficiency,6, 7, 8 for example:
All organizations have policies that guide how decisions are made and how business objectives are achieved. An effective policy framework increases organizational accountability and transparency and is fundamental for helping the organization to meet its objectives.
Creating policies is more than typing words on a page; it involves a systematic approach for properly articulating governance and management principles. COBIT 5 principles help to provide a holistic approach to include all the minimum requirements for a policy framework, avoiding reinventing the wheel and ensuring that the complete life cycle of a policy is understood.
1 Swanson, Marianne; Barbara Guttman; SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996, http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf2 Bowen, Pauline; Jan Hash; SP 800-100, Information Security Handbook: A Guide for Managers, October 2006, http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf3 The Verizon PCI and RISK Intelligence Teams, Verizon 2011 Payment Card Industry Compliance Report, 2011, www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdf4 Tipton, Harold F.; Micki Krause; Information Security Management Handbook, 6th Edition, 20075 ISACA, COBIT 5, USA, 2012, www.isaca.org/cobit56 Bacik, Sandy; Building an Effective Information Security Policy Architecture, CRC Press, USA, 20087 Op cit, Tipton8 Writing, Stephen B.; Exceptional Policies and Procedures, Process Improvement Publishing, USA, 2009
Jorge Carrillo, Ph.D., CISA, CISM, CISSP, is an IT security and IT audit professional with experience in developing IT policy and risk management processes. Carrillo is a lecturer at Prague College (Czech Rebublic).
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.