Many IT organizations are good at establishing policies but have an uneven ability to get their staff to follow them. It is important that an organization be able to enforce policies. If the policies are important enough to create and approve, they are important enough to enforce. In fact, when I coach managers on their governance process (the ability to enforce standards and policies) I tell them that if they are not prepared to enforce a policy, there is really no reason to create it to begin with.
The best way to make sure your organization follows your defined policies is to initiate a policy audit. On the surface, a policy audit might seem daunting. However, it is not so hard. Follow this simple process to execute an audit to ensure your IT policies are being followed.
- Inventory your policies. You can't do a policy audit if you are not sure what your policies are. The first thing to do is to inventory all of the policies in the IT organization.
- Pick the policies that are most important, and then a few more. You could audit every policy in your inventory but you don't need to. You should pick out the policies that are important to you; such as your email policies, your Internet usage policy, and your hardware procurement policy. Then pick out a couple more policies more or less at random. The reason for picking both is that you want to ensure that your most important policies are being followed, plus you want to check some others to make sure that your organization seems to be following all policies, not just the important one.
- Talk to the business owners of each policy. Start by identifying the business owner of each policy and have a discussion with them about each policy.
- Validate automated enforcement. Ask the policy owner whether there are any enforcement mechanisms that ensure that the policy is followed. For instance, you may have a policy for virus scanning of all inbound emails. When you talk to the email group, you may discover that this policy can be enforced systematically since this group owns the email servers and they can ensure that all incoming emails are scanned. If a group can enforce a policy systematically, they need to prove that the policy is being enforced in all instances. If they can, you are fine for that policy. If they cannot validate that the policy is being enforced in all instances, then document this policy as one that needs further scrutiny.
- Manually audit the remainder of the policies. Most policies cannot be enforced systematically. Work with the policy owner to determine the best way to validate that the policy is being followed. Depending on the policy, this could take many forms. For instance:
- You could look at the paperwork for 25 turnover instances to validate your production turnover policy.
- Your teleworking policy may require that you identify 5 teleworkers and interview them and their managers.
- You could analyze a cross-section of 20 workstations from around the company to determine whether your workstation policies are being followed.
- Prepare general conclusions. After you have completed all of the individual audits, you can make some overall conclusions. For instance, if the results of the individual policy audits are all generally favorable (perhaps not prefect, but generally favorable) then the CIO should feel confident that policies are generally being followed. If the results of most of the specific audits were unfavorable, then the CIO should have reason for concern that policies in general are not being followed. There will be some follow-up necessary to determine why the policies are not being followed, and then an action plan will need to be put into place to turn ensure your organization does follow defined policies.
You don't have to audit every policy and every instance to make an overall conclusion on whether your organization is following your documented policies. Based on the results of this policy audit you can determine if you are okay in how your organization follows policies or whether you have more work to do.