Organizations know that policies are critical to any mission. How do you handle data? How do you navigate surprise incidents or emergency changes? How do you secure critical information?
Governance is a key element of the service value system—that is, the way you create and deliver value to your customers. The ISO/IEC 38500:2015 standard for governance of IT departments and organizations defines IT governance as the system by which the current and future use of IT is directed and controlled.
According to ITIL® 4, this direction usually comes in two forms: strategies and policies.
Strategies are typically spelled out from the CEO and executive leadership. But what are the policies that an organization needs to have in place in order to succeed? Experts suggest a few IT areas that need policy.
Let’s take a look.
Policies are the framework and constraints (guardrails) within which employees can strive for individual and collective success. ISO vocabulary defines a policy as:
"Intentions and direction of an organization, as formally expressed by its top management."
In IT, the scope for policies covers many areas, ranging from high-level, organization-wide policies to specific topical policies that likely affect only IT employees. When developing policies for your organization, consider:
When it comes to policy content, the VeriSM™ service management approach provides three simple clear questions that your policies must answer:
So, what are the most critical IT Policies? The ones your business must have? Well, each organization is different. What’s critical to one may not be the same for others.
The golden rule in governance has long been that we cannot outsource oversight.
Most organizations embracing digital transformation have outsourced the need to maintain IT infrastructure and platforms—this used to take up significant policy effort. Depending on your organization’s maturity, you may no longer need many I&O policies, for instance.
If you do have a cloud strategy, it’s likely that your policy focus has shifted to service and data layers. This is where most interaction with technology is now happening, especially when it comes to app development. But that doesn’t mean that you can neglect the underlying layers. Instead, you’ll likely pivot to areas like security and billing.
(Interestingly, most modern app development approaches align to the agile manifesto, which de-emphasizes rigid processes and comprehensive documentation—two elements that are traditionally the bedrock of policies.)
When we look at standards, here’s what we see. The ISO/IEC 20000:2018 standard for Service Management defines only three policies defined that any IT organization should maintain:
You might be wondering about other policies that seem critical.
The Info~Tech Research Group defines other policies that IT organizations need to put in place. These include:
Your organization may need policy in all seven of these areas; or, maybe only four are appropriate. We’ll briefly look at each one here, then point you to more resources about these practices.
This policy establishes the framework of setting service management objectives in line with the organization’s purpose. This policy includes:
It is the definitive top management commitment to service management, aligning directly with ISO/IEC 20000 requirements.
Without it, there is no evidence of service management direction from the leadership, potentially leading to a disjointed approach to service management activities across the organization.
(Check out what's happening in service management today.)
The intention of a change management policy is to maximize the number of successful service and product changes by ensuring that you’re properly assessing risk, authorizing changes to proceed, and managing the change schedule. (In ITIL 4, this policy is renamed to change enablement.)
The policy defines:
Without this policy, risks of unplanned service disruption or bureaucratic hurdles to smooth change execution are likely to occur (exactly when you don’t need them).
(Learn more about the roles involved in change management and navigating change in the cloud.)
This policy spells out the required posture to secure the availability, integrity and confidentiality of business information on IT systems from potential risks, through appropriate controls that align with organizational and regulatory requirements.
For the most part, any Information Security policy comes with a lot of sub-policies covering different topics as per controls, including, among others:
With cyber security risk becoming the #1 focus for most digital organizations, absence of this policy is itself a risk. Without coordinated effort to secure data, your organization’s existence is threatened if a significant attack occurs.
(Learn more about the InfoSec management and cybercrime prevention.)
The Enterprise Architecture policy outlines how IT supports the business mission and operations, through alignment and prioritization of IT strategies and initiatives. It also includes guidelines for designing, planning, implementing, and governing enterprise IT architecture.
Without this policy, your organization risks increased costs and poor performance.
(Understand the role of a system architect and architecture in DevOps environments.)
This policy focuses on the management and governance of data assets—i.e., documents, databases, and application data files—with a strong focus on data protection and privacy.
A key data management component is the data classification policy, a formal framework for categorizing and managing data.
The heart of a data classification policy is to sort data according to its sensitivity, its value, and the impact that altering, destroying, or disclosing it to unauthorized parties would have.
Organizations can then apply the right protections based on these characteristics. Public data needs little protection, whereas more sensitive internal, confidential, and restricted data needs more protection.
Protecting data is important, but so is demonstrating compliance with regulations and security frameworks. You may need to show how you have used, managed, and protected data in adherence to legal requirements and standards. This also shows customers and partners that your systems are trustworthy.
Lastly, your data classification policy helps you efficiently use resources to reduce security risks to your data and systems. Instead of treating all data as equal, you can focus on protecting the most sensitive data.
Without this policy, you’re risking the misuse, loss, regulatory penalties, or lost opportunity from data usage.
(See how data ethics and the data lifecycle can help you create data policy.)
This policy provides guidelines on activities involved in the asset lifecycle, from acquisition, tagging, deployment, usage, maintenance, withdrawal, and disposal.
Absence of this policy would impact the organization financially because you’re not maximizing the ROI of your assets—and you may even be taking a loss.
(Understand what assets are and explore software asset management tips.)
This policy provides guidance on acquisition of service components required for delivery of IT services, ensuring value for money and holding suppliers to their contractual commitments.
Without it, the organization can be impacted financially by poor decisions that could lead to:
(Explore cost management strategies and tips.)
Adopting and maintaining an IT policy ensures all employees understand the importance of cybersecurity and protecting data and systems. Moreover, it provides clear guidance on each person’s responsibilities when using, managing, and securing technology.
Whether it is because of compliance with regulations, need for internal controls, operating requirements, or risk management, the need for IT policies cannot be understated.
With the ever-evolving technology landscape and the strategic drive for digital transformation, ensuring that sound policies that shepherd, not constrain, good practice are an essential ingredient of maturity and excellence for any IT outfit.