Many IT organizations are good at establishing policies but
have an uneven ability to get their staff to follow them. It is important that
an organization be able to enforce policies. If the policies are important
enough to create and approve, they are important enough to enforce. In fact,
when I coach managers on their governance process (the ability to enforce
standards and policies) I tell them that if they are not prepared to enforce a
policy, there is really no reason to create it to begin with.
The best way to make sure your organization follows your
defined policies is to initiate a policy audit. On the surface, a policy audit
might seem daunting. However, it is not so hard. Follow this simple process to
execute an audit to ensure your IT policies are being followed.
- Inventory
your policies. You can’t do a policy audit if you
are not sure what your policies are. The first thing to do is to inventory all
of the policies in the IT organization. - Pick the policies that are most important, and then a few more.
- Talk to the business owners of each policy. Start by identifying the business
owner of each policy and have a discussion with them about each policy. - Validate automated enforcement. Ask the policy owner whether there
are any enforcement mechanisms that ensure that the policy is followed. For
instance, you may have a policy for virus scanning of all inbound emails. When
you talk to the email group, you may discover that this policy can be enforced
systematically since this group owns the email servers and they can ensure that
all incoming emails are scanned. If a group can enforce a policy
systematically, they need to prove that the policy is being enforced in all
instances. If they can, you are fine for that policy. If they cannot validate
that the policy is being enforced in all instances, then document this policy
as one that needs further scrutiny. - Manually audit the remainder of the
policies. Most policies cannot be enforced
systematically. Work with the policy owner to determine the best way to
validate that the policy is being followed. Depending on the policy, this could
take many forms. For instance:- You could look at the paperwork for 25 turnover
instances to validate your production turnover policy. - Your teleworking policy may require that you
identify 5 teleworkers and interview them and their managers. - You could analyze a cross-section of 20
workstations from around the company to determine whether your workstation
policies are being followed.
- You could look at the paperwork for 25 turnover
- Prepare general conclusions. After
you have completed all of the individual audits, you can make some overall
conclusions. For instance, if the results of the individual policy audits
are all generally favorable (perhaps not prefect, but generally favorable)
then the CIO should feel confident that policies are generally being
followed. If the results of most of the specific audits were unfavorable,
then the CIO should have reason for concern that policies in general are
not being followed. There will be some follow-up necessary to determine
why the policies are not being followed, and then an action plan will need
to be put into place to turn ensure your organization does follow defined
policies.
You could audit every policy in
your inventory but you don’t need to. You should pick out the policies that are
important to you; such as your email policies, your Internet usage policy, and
your hardware procurement policy. Then pick out a couple more policies more or
less at random. The reason for picking both is that you want to ensure that
your most important policies are being followed, plus you want to check some
others to make sure that your organization seems to be following all policies, not just the important one.
You don’t have to audit every policy and every instance to
make an overall conclusion on whether your organization is following your
documented policies. Based on the results of this policy audit you can
determine if you are okay in how your organization follows policies or whether
you have more work to do.