Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Who should write Policies and Procedures?

Locked

Who do you think should write Network and Computer use Policies and Procedures: network administrator, overloaded with daily routine tasks and various IT projects, or IT Manager?

Topic

Team

In reply to Who should write Policies and Procedures?

IT policies should be developed by a team. The team needs to consist of people who understand IT as well as people who understand the business. The policies should by sponsored by a VP level indivual with final approval. The network admin may write the policy, with guidance from the team. The team should then reccomend the policy to the VP.

Local Champ!

In reply to Team

In a one man situation..wherein you’re the IT Man, The Network Admin…and infact 1st line support plus anything that has to do with IT and most probably electronics, you certainly are in charge! I once wrote the IT strategy of a well known Charity Org, all alone. The experience was good and played aplus to my multi-tasked job description. Teams are good, but good consultations and vision I think, should determine who does it.

IT Policy

In reply to Team

IT policy is no rocket science and should be in line with business needs and written by a security specialist. Policy should be in line with many of the IT standards such as BS 7799 ITIL etc. However workprocedures can be written by a team of people and should reflect the current situation before people start changing infrastructure to get it to ajust to policies and procedures. Try to get it to fitt the business not the other way around.

IT = Team

In reply to IT Policy

I work with a small company of about 100 end users and i’m the Network Admin and when it comes to policy, the IT mgr. asks my opinion and usually takes what I say into fact and enforces it. But when we write the policies, all 3 of us in the Dept. talk about it because EVERYTHING that we do is at risk so it involves a department meeting and we get it done.

IT Policy

In reply to IT Policy

Currently in our organisation the IT Team determines what should be written into the IT Policy and then it is passed through the management and Councillors to be signed off. If they don’t like what is in there they will not sign it off. I beilieve that the end result is that you need support from your management to enforce these policies.

IT Policy

In reply to IT Policy

In my organization, the entire team of Help Desk Technicians, Systems Administrators and Director writes the IT Policy. The buck stops with the Director of IT.

I agree

In reply to Team

There should be a team or a committee of sorts that decides on the elements of a base policy. This should be a companywide policy that is signed off by a VP, Director, CEO, etc. Once the policy is in place then managers have the discretion of adding to it for their departments. What they add – if it is reasonable – could be implemented. If their request does not seem reasonable, then it would have to be forwarded to the policy authorizor for approval. It should never be left to the administrator alone – he/she should have assistance and someone to back them up.

Writing Skills

In reply to Team

Please make sure somebody on the team can write. If you have to draft someone from outside IT, hire somebody new, or accept someone with less-than-excellent tach skills, so be it.

Tech Skill Doesn’t Equal Writing Skill

In reply to Writing Skills

I agree 100% that hiring someone who has writing skills is imperative to creating functional documentation that has value for all team members. My personal vote is to acquire a technical writer to at least edit and organize the documentation so that it is usable and easily understood by ALL team members.

Second that

In reply to Tech Skill Doesn’t Equal Writing Skill

Or third, but IT as a whole looks foolish to the company or organization if your releases/warning/documents are written by an unskilled writer. I am associated with an organization fighting the PR problem and our releases don’t help.

On a side note, keep the policy team small and get support from the higher-ups. Without those two pieces you will be fighting a long (and probably losing) battle to get a decent policy implemented. (speaking from several months on a policy team re-writing the policies for an org with around 13,000 people in it)

Team approach is the only way

In reply to Team

Policies should definitely be developed by both IT and management together. The specific involvement of each should depend on the capabilities of each. For example, more IT involvement will be required when the IT manager is not himself an IT person. Companies that have a legal department should definitely get legal input as well.

If technical writers are available, I agree with other comments that the final document should be at least edited and formatted by them.

No one answer

In reply to Who should write Policies and Procedures?

If you are looking at pushing back on your manager, thats not an issue we can help you with. I hope you are dialouging with your manager on this kind of issue.

The duties of a manager and the duties of an employee vary infinitely from company to company, and indeed from department to department. I certainly wrote policies and procedures when I was a technical specialist. Management was responsible to provide feedback on those policies, and to get buy in from HR. But I wrote them.

As a manager currently, I do some technical tasks that could easily be done by one of my employees. I choose to do them. Thats my perogative. And if I chose to delegate them at some point, thats also my perogative. I only hope that what I do makes sense and helps the company.

You sound like you have a chip on your shoulder regarding your manager. None of us here can help you with that. Perhaps you aren’t aware of all the tasks assigned to that manager, or perhaps you don’t have an effective or efficient manager – we can’t help you with that.

James

I completely disagree

In reply to No one answer

I don’t understand why you would have responded as you did. This question in particular is one that has been an issue for as long as I’ve been in IT, which is twenty years. Most of the time the problem, as I see it, is that a system administrator thinks that he can make any kind of restrictions on computer use that he wants without regard to corporate policy. This kind of thing was much worse twenty years ago when most system adminsitrators were emotionally crippled sociopaths. However, I think that this question may be the most pertinent question posed in these forums in the last couple of months. This is exactly the kind of thing that needs to be discussed. The TR forums were made for just this kind of question.

Flexibility in roles

In reply to I completely disagree

This is NOT the scenario where the rogue sys admin is setting policy all on his lonesome. This is a situation where the manager has directed the sys admin to craft the wording of the policy – the manager has obviously given guidelines, though only the original poster can tell us whether they got enough detail to work with.

Don’t presume you are the only one with 20 years experience. I have been in IT that long as well. And I have written policies both as a manager and as non-management. In the case of a non manager, you can craft the wording, but someone in management needs to approve it, and seek approval from all appropriate stakeholders. The frustrating part that I can relate to from the original posters perspective is that if you aren’t given specific enough guidance it can be a long frustrating process.

Emotionally crippled sociopaths?? Surely you exagerate when you say most…..

James

You can sure read a lot into one sentence

In reply to Flexibility in roles

You wrote “This is NOT the scenario where the rogue sys admin is setting policy all on his lonesome.”

I didn’t say it was. I said that the issue at hand is who is responsible for writing policy.

You wrote “This is a situation where the manager has directed the sys admin to craft the wording of the policy – the manager has obviously given guidelines, though only the original poster can tell us whether they got enough detail to work with.”

How did you interpret the original post to say anything like that? Your entire assertion is derived from your imagination. The original poster said nothing of the sort.

You wrote “Don’t presume you are the only one with 20 years experience.”

I didn’t presume anything of the sort. I was making the point that I am not a kid fresh out of school and that I have decades of office experience. I didn’t say anything about being the only person with relevant experience. Again, your interpretation is derived strictly from your imagination.

You wrote “In the case of a non manager, you can craft the wording, but someone in management needs to approve it…”

I agree. That is my position as well.

So, why did you originally enter a post telling everyone not to participate in this discussion? That was my question to you in my response to your post and you completely failed to address that issue in your reply.

Reply To: Who should write Policies and Procedures?

In reply to You can sure read a lot into one sentence

It’s all in the interpretation. You thought he was issuing a directive for nobody (no one) to answer, where I thought tht he was saying there was no single (one) answer.

You’re right

In reply to Reply To: Who should write Policies and Procedures?

Now that you point it out it is clear to me. He was saying that there isn’t one single answer.

Okay. In that case forget everything that I said related to his post.

Well this is embarassing enough. I’m just glad that I didn’t include a lot of flame-o-matic phrases.

With all due respect

In reply to You’re right

I’ve been flamed by Snopes…..

Now he can flame…..

If you want details you can google alt.folklore.urban, my name, and look for the posts in 1993 and 1994…..

Snopes stopped posting there a few years later.

James

First, lets get real . . .

In reply to I completely disagree

Systems Admin’s “20 Years Ago” can’t even be compared. Hell, 20 years ago very few organisations had IT to the desktop, thus policy was hardly a prime consideration.

I am now a consultant, so have been out of the front line for a year or so. However, in my last few IT Director roles, I always wrote policy in conjunction with my team. My contribution was primarily on behalf of the business, and I wanted to see active participation from my team with suggestions and stories from the “front line” that could influence the policy.

Sure, you do get over-zealous net admins, but they can be told pretty effectively not to take that approach.

FYI – In my last role, we trimmed the IT usage policy down from a small novel into a leaflet, removed a lot of the “treat staff like small children” feel from it, and ended up with a far happier user base with far less problems and systems abuse.

Paul

Team work

In reply to First, lets get real . . .

What most of us forget is the modern day compliance requirements of nations and to this end policies now require input from HR, IT and the Business; some believe that the policy should
be “written” by the HR Manager and not the IT department!

should be team in IT

In reply to Team work

I have worked in IT for several companies with unique technology needs. Without input from HR and the Business side, I would have overlooked and/or ‘locked-down’ things too tightly in some areas. In a sense crippling the company. I agree that a commitee approach works best. m I just like having the final say though 😉

On The Right Track

In reply to should be team in IT

It was rather amusing reading the trail of responses, especially from the “stress” zealot! I believe your on the right track, and it does not take 20+ years of IT to deduce this. Depending on the branch of IT you operate in – Service, Operations, Consulting, etc.; you will run across divergent needs and requirements that will play a role in the formulation of P&P. I happen to work in the service sector – 24×7 entertainment (Casino). We happen to be one of the most progressive branches, as new technologies run rampant in the mushrooming industry. Keeping track of the new technology requires effective P&P. I have to second the responses of those that wrote that understanding the business and operations is key, and soliciting the assistance of HR is crucial. IT can no longer work in a vacuum, entrusting the Admnins to come up with policy. Not only is this endeavor an IT Team Endeavor – Net Ops, Admins, Analysts, IT Management; but also those newly found IT positions such as – Business Systems Analyst, Project Managers (PMI), etc. Hope this helps.

Include Legal

In reply to should be team in IT

Working for a large, religious non-profit, our team included the legal department. Their perspective in protecting the organization from liability played heavily into the design of our policy manual. They also had the wisdom to make the policy broad in order to make it’s implementation flexible.

The downside of the broad approach is that I (lone IT Mgr. supporting 125 users) now find people violating the policy because they don’t see how it applies to real life. Consequently, I am crafting a document called “Policies in Practice” with the help of my Director and his boss, the COO. This doc can be flexible and can grow and change as the environment changes, which is quite frequently.

In any case, it’s essential to get buy-in from the top stakeholders. Otherwise, the policy will carry no authority.

Policies vs. procedures

In reply to I completely disagree

If you are talking about IT security policies, then the IT security group usually is the group to create the policy and allow the network and sysadmin group/management to review and make comments and corrections. The actual procedures I think should be written by the group who is in charge of that particluar are (e.g. network logon procedures or account creation procedures). I have written security policies, but procedures were written by others.

LOL….I had to read it twice but I agree

In reply to No one answer

Your right, managements role is the approval or re-write.

Management & the executive will be the one’s responsible for policing, enforcing & educating on both.

Strictly a management function

In reply to Who should write Policies and Procedures?

Management makes the policy. The tech support personnel implement the policy. It’s a simple question of definition of job title. If you look at the question from the perspective of another business department the answer becomes clear. Take the example of the business shipping department. Should the manager or the truck drivers make corporate policy? It’s clear that truck drivers do not have the authority to make corporate policy. The same thing applies to IT. Managers make policy. Period.

A good manager

In reply to Strictly a management function

will utilize all the expertise (including the grunts) available to craft intelligent policy. It doesn’t make sense to dictate policy that will be ignored or that can’t be followed for some reason.

The grunts should reply to the policy with the procedures they use to actually implement the policy. If you do this correctly, you won’t actually be implementing new policies or procedures, simply documenting the existing ones (unless there is a need to change them).

Yup, but…..

In reply to Strictly a management function

Yup… and if that policy that the manager makes involves a subordinate writing up policies then they do it. Period.

Just because management set policy doent mean they have to be involved in drafting it. Policies dont get written in a few minutes by one person in my experience. A typical process would be something like – subordinate drafts and then discusses with manager. Revisions made by subordinate. Manager then takes the document to the other parties (eg HR, VP/CIO etc), revise again as necessary and then finalise. Document signed off by the big cheese.

The wording of the question strongly suggests the question setter has an issue with their boss and their (perceived and/or real) workloads. It sounds like they feel put upon and this question is a symptomatic not the real heart of the issue for them.

He said – “just get me a policy”

In reply to Yup, but…..

No guidelines were given and only one week to think about it. Being overworked, like everyone else in IT, I’d suppose, it’s impossible to sit down and concentrate on writing even a draft without knowing what he wants. Some responses here are right regarding pure techies – I’d restrict so many things irresponsible users do, that this policy wouldn’t go nowhere besides the trash can and my time is too precious to spend this way.

Look at the silver lining

In reply to He said – “just get me a policy”

Yes, the way it was dumped on you sucks. Yes, ideally, you would have more than just one person’s input. Yes, policies really should be management driven. However, I would urge you to look at the positives:

You’ve been given an opportunity to outline the way you think things should be. Start thinking about some things that detract from your work (personal PC work requests, non-standardized equipment,virus cleanups, etc), and find a fair way to work them into the policy. Just be sure to only include items that you could reasonably defend, if called on it.

Even if you supervisor doesn’t show it/say it, the fact he dumped this on you shows he has, even unconsciously, the faith that you can get this done (I am open to the possibility he is just oblivious to the importance of this, though).

If you have company policies on other facets of the business, I’d encourage you to take a look at them. In the policy you create, try to emulate the tone and nature (general terms vs. specific, normal language vs. legalese, etc) of those policies. Company policies tend to reflect the company culture, so you’ll want to make sure your’s fits in accordance to what is already out there for your outfit.

Also, if you are having trouble, there are a lot of templates available out on the web you could peruse (although I haven’t looked for any in particular, I’d wager there are some on TR). Looking at these may help you keep from adding too much to your policy.

If you really want to get perspective on this, get up from the desk, go walk around the office, and pay attention to all the non-essential, non-standard stuff going on and think about what you can do about it…..

Are you back? Feel better? 😉

Thanks for the advice – it was really good one

In reply to Look at the silver lining

I am not really much into management and politics, but will take your word of advice. Thanks again.

Have you try the Download section??

In reply to He said – “just get me a policy”

Have you looked at the one TechRepublic has in the downloads??

http://techrepublic.com.com/5138-10634-5549585.html?tag=search

Look at it this way

In reply to He said – “just get me a policy”

Look at it this way, think what the company wants from the policy and write up something quick and rough. Talk to any ‘stakeholders’ you can get hold of for 5 minutes and ask them what they want out of the policy.

If your manager has not given you input into what the policy should contain go ahead and find out for yourself. You may well find that he is under pressure to have a policy in place more to put a tick in a box than to actually manage anything.

Absolutely the Big Big Picture

In reply to He said – “just get me a policy”

If techies could youre right, they would restrict everything a user does to mess up a pc or network. Not to mention the over zealous manager who thinks that all users are loosers.

If you look at the bigger picture what about a goverment installation or a school. Policy comes from the top they wrote it and we simply enforce it. I strongly believe it is not our role to dictate what can and can’t be done. I use all automatic filters and windows policy that way I can say sorry it’s not my call it is all automatic with regards to what you can and cannot do.

Reply To: Who should write Policies and Procedures?

In reply to Strictly a management function

I would say management’s role is approval and enforcement of policy, not necesarily writing it. Management may not even know that there is a need for a particular policy or why.

Policy is

In reply to Who should write Policies and Procedures?

set by management, Procedures by those who have to implement them.
The policy can be very vague, like a mission statement. This is a help though, because it means you can justify the procedures you want against the policy.
Personally I favour no implementatioon details in the policy. You will meet legislative requirements, support the business function etc.

Procedures should be made and managed by the team. The last time I did this sort of thing, the manager never went near the content of the procedure, the only thing he cared about was that they implemented the policy.
What’s the big issue at the monent in the department. Write a draft that could be seen to implement the vague appreciation you have of company policy your manager has given, then have him review it.
In your position I’d consider this a heaven sent opportunity to shine, but I like it when everybody in the company knows who I am. I don’t care that they don’t like what I’ve done, to chnage it all they have to do is get off their ass and contribute.

Depends on company culture, but the IT “team” is what I like best

In reply to Who should write Policies and Procedures?

I know it seems obvious to many that the IT manager would make the policy, but its not so clear cut at some companies. Like this one for instance the “top” IT guy is also involved in overseeing the total operations of the business and he has little time to spend on IT policy by himself and to be honest, its more towards the end of his priority list than the top.

So what we do is approach it as a team effort. Then we logically talk about it what is going on in the company, where we feel we are exposed to vulnerabilities and lack of legal coverage (ie. no copying software, downloading unlicensed content, etc.).

For one policies aren’t static, some things will stay the same of course, but other areas of policy adapts with time and newer technologies. The techs (me being one) know HOW AND WHY stuff works better than anyone else in the company so its logical to have their (our) input when dicussing IT policies.

Reply To: Who should write Policies and Procedures?

In reply to Depends on company culture, but the IT “team” is what I like best

It doesn’t seem obvious to me at all. The IT department is almost always subservient to other departments in a company. We provide what they need to help them do their jobs, not the other way around.

Yes, except you can’t expect THEM to make policy

In reply to Reply To: Who should write Policies and Procedures?

True. We provide services for the benefits of the other departments. Let’s face in IT our customer is literally our fellow associates in all the other departments.

However when the subject is IT policy, certainly the other departments can’t (or at least they shouldn’t be allowed to) write the policy. That’s like them writing their own rules for what they can download, the extent of freedom they have with surfing the web, etc.

I think IT policy should be drafted in the IT department, then passed to management for review, editing, approval, then IT finalizes it.

Reply To: Who should write Policies and Procedures?

In reply to Yes, except you can’t expect THEM to make policy

It’s is up to each employee’s supervisor to determine what the employee is or isn’t allowed to do on the job (within the limits given them from above, of course). It isn’t up to the IT department. Ours is only to implement what is asked of us from above.

To a point

In reply to Reply To: Who should write Policies and Procedures?

The IT department provides services on behalf of the company. The IT department has a responsibility to ensure that the company’s resources are wisely used, and the HR policies (no porn) can be enforced.

The IT department often is charged with giving information to the user’s supervisor or to HR. What they chose to do with the information is not up to IT.

James

Agreed and I’ll go one further…

In reply to To a point

The IT department, I contend, does have something to do with policy concerning the companies technology as one of the large reasons a company pays for IS staff is to not only configure and maintain the technology but to prevent it from failing and securing it against threats.

Example of what I mean…Regardless if a manager, hell if an executive gives authority for someone to go to whatever site or do whatever online — if there is reason for the IS department to suspect the system will be comprised either by being hijacked or virus infection — IS over-rides the authority of even the executive.

That’s one thing about here, you guys heard me sound off a lot, but at least that is one thing my place understands. I’ve even stopped the owner of the place from going to a site because of the threat it poses to our network.

He didn’t get upset (well a little at first) after I explained and told him why my concern. Then he was fine by it because he at least knows enough that that’s one of the reason he pays me.

So yeah…in 9 out of 10 cases IS has no say, but in that 10th case where there is a threat involved..IS has every right to over-ride even the higher ups.

Just make sure you give as much factual information as possible to explain your reasoning and communicate it without emotion.

Management Responsibility

In reply to Who should write Policies and Procedures?

Policy writting is a management responsibility and the current management best practices and theory is that the manager for the area that has responsibility for that material is the one to write the policies for that area / subject. Thus the IT manager is responsible for writing the IT policies; a good manager will then give them to their line managers/supervisors for comment and feedback as they may note operational aspects that the manager missed.

I have both management and IT qualifications and have worked in both general management and then IT.

NB: I am on a 24 kbps line and did not read all the responses already given, so if I am repeating another response – sorry.

Leaders write policy and managers enforce them

In reply to Who should write Policies and Procedures?

In my experience it’s the leaders who write policy & procedures and it’s managers who approve and enforce them.
Are you a leader?

Collaboration is necessary

In reply to Who should write Policies and Procedures?

Both should have a big part to play in the development of policies. While the IT manager should be more familiar with the business goals and vision, they would not be as familiar as the support tech or the network administrator when it comes to common user issues. So, on the advice of the network administrator or systems administrator, the IT manager could develop policies.

Reply To: Who should write Policies and Procedures?

In reply to Collaboration is necessary

I think it’s important to establish a clear line between policy and procedure. I think most “common user issues” would fall under the latter.

Too right

In reply to Reply To: Who should write Policies and Procedures?

Procedures enact policy. They should always be written for the people who have to do them, therefore it’s a lot more practical for the people who have to use them to write them. You get buy in and ownership that way, not to mention no excuses about unworkable ones.
Unworkable policy is a different matter entirely.

The question is flawed. It should be the Tech Writer and…

In reply to Who should write Policies and Procedures?

…a committee with at least one representative from Network Admin, Data Network Services, Development, Help Desk, Infrastructure, Telecommunications, IS Security, Database Administrators, and any other group on your IS org chart.

Once the “ground level” soldiers on the Security Policy Committee agree on what policies should be written in the first place, and on how each policy should be worded, then those documents should be presented to IS Senior Management.

Once IS Senior Management approves the policies, they must be communicated OUT to the lines of business, or they’re not worth the paper they’re printed on.

Well written policies, with revision tables showing when they were drafted and each time they were reviewed and revised, will come in very handy for companies facing SOX or HIPAA compliance audits. Auditors will ask: What’s your policy? How are you enforcing it? Where’s the proof that you’re enforcing it?

In an ideal world

In reply to The question is flawed. It should be the Tech Writer and…

You would have all of that and more (HR should be involved in policies, because they deal with the consequences).

But not every organization has all these types of people. I worked in a large corporation with an IT department of 5000, and there were no Technical writers.

There should be feedback from stakeholders, including internal user groups if they exist.

As far as communicating, at a previous employer we had a good policy. You had to sign a document acknowledging the policies and the consequences(up to and including termination) before you had a network ID and password given to you.

James

It’s a one-man shop…

In reply to The question is flawed. It should be the Tech Writer and…

than what do you do?

Wear lots of hats

In reply to It’s a one-man shop…

and get thoroughly confused on a regular basis.
I was one for about four years until an audit where they made me into four people with same name each doing a part time job.

Cheat ;P

In reply to It’s a one-man shop…

Cobble together a policy, by stealing one from TR
Then get buy in from the other people.
Procedures; assmue that your manager has just asked you to stop the B$ that wastes your time and list all the things you would stop, But
ask for buy in.
Start what should be a dialogue on your term s and let them convince you.

… the best you can!

In reply to It’s a one-man shop…

I guess your first task is to determine who your audience is. If the documentation you’ve created is working and everyone understands it, then count your blessings and move on. If not, then it might be time to add some tech writing consulting skills to the budget … if that’s an option.

Stakeholders first, IT operations second

In reply to The question is flawed. It should be the Tech Writer and…

Policies should be defined at the interface between general
management and IT: that is at IT Director level or equivalent.
Policies are to serve the stakeholders: that is the company and
its customers and staff. IT operations should obviously be
consulted as to what is practical and achievable but the general
responsibility for policies lies with management and the ultimate
responsibility lies with the CEO.

Writing policies and procedures

In reply to Who should write Policies and Procedures?

Policies clearly are not in the technical domain. IT management could take the lead on this, with input from others across the enterprise, including some tech staff. These should support the organization’s mission and goals.

Craig Herberg

writing right now…..

In reply to Who should write Policies and Procedures?

I have been sitting here for the last 4 plus hours writing and updating policies and procedures for HIPAA Compliance. I am the Head IT person. However, due to the fact that I know more about the HIPAA regs than any of my staff much of this I am having to write. That being said, there is a list of these that I am going to pass off to my staff to write. Why?
1. I can’t do all the work.
2. They need to learn how to do it so that they can become better at what they do and learn a new skill.
3. They have insight that I want as well.

Then I will review and update. Then from there what we all have written will be reviewed by the Firm’s Ops team (all owners + CFO).

As was stated earlier – No right answer, but use it to learn and become a better IT person. Education comes in lots of ways – some you pay for, some you get paid for.

Writing Policies & Procedures

In reply to Who should write Policies and Procedures?

IT Manager shall involve in writing Policies.

In line with the Policy, Procedures shall be written by the Network or System Administrator, finally vetted by the IT Manager.

Lord buddah himself could write the policy…

In reply to Who should write Policies and Procedures?

It really does not matter. If Management does not understand and agree with the policy, it isnt worth the rice paper it is written on, grasshopper. Good luck trying to enforce the policy unless you let management feel like they participated in the process and had input. As others wiser than myself have already stated…you must give the appearance that it was a team effort (not to difficult to make management think they played a part in the policy…stroke the ego, drop a couple of suggestions-giving them the final say, of course) otherwise it is just some vauge notion that the geeks in IT tried to put together and everyone ignores.

Team/IT Manger or Network Manager

In reply to Who should write Policies and Procedures?

It Matters not who is tasked with the policy writing within an organization as this will be purely a individual issue with each organization based on size and personnel/skills other then that what is important is the policy is well thought out to consider what is the primary functions of the system and will the policy ensure the efficent functioning of the network is maintained for it’s intended purposes. Secondly the policy must be effectively promulgated to all users from CEO to lowest person in the network and understood. Thirdly it must be enforced and monitored for changes as the business or organization needs change. Lastly
the policy must be a policy that can be one that can technically be implemnted or nothing that was planned or promulgated is going to work anyway.

Nope Policy comes

In reply to Team/IT Manger or Network Manager

down from the top. Any IT specific policies must be in accord with the business policy. It should advise one possible adjustment to business policy where it’s impact is not understood. The the top level policy is restated, if the business agrees.
If manager’s ‘above’ or even at the same level as the IT manager do not agree, then it won’t matter how ‘good’ the policy is IT will not be allowed to implement it.

Reply To: Who should write Policies and Procedures?

In reply to Nope Policy comes

Some managers, and a lot of computer users, put the cart before the horse. An anology: I’ll get a user who tells me “I need photoshop”. I’ll think, “No, you probably need to do some of the things that photoshop does.” I’ll say “What are you trying to do that you can’t do with the tools already installed on your computer?”

Policy is the same. It is not an end, but one of several possibly means.

Can only be broad policy from upon high

In reply to Reply To: Who should write Policies and Procedures?

Such as the user’s can install the tools they use best as opposed to those most convenient for IT.
IT should collaborate with the business, so it can provide the required services as efficiently and as safely as possible.
If some twonk says everyone above level x should have unfettered access to their pcs we’ve got to point out the problems, equally some one in IT should not be able to say, you can’t have hotmail, change your wallpaper, or listen to muics while you are working.

who should write IT Policies and Procedures

In reply to Reply To: Who should write Policies and Procedures?

IT policies and Procedure should be written by both the Stakeholders(Owners), Users, and of course the IT Systems Auditors in conjuction with the Computer personnels in IT department. After the polcies has been drafted it should be forwarded to Computer Steering Committee for proper scrutinization and after this stage then It should be forwarded to the Management for thorough discussion and approval. This is what operate in my organisation; as ALL stake-holders need to be carry along.

As others have said

In reply to who should write IT Policies and Procedures

Policy and Procedure are completely different.
Procedures enforce policy, so in IT they should be written by IT and in my view by the people who execute them. The manager should ensure that company policy is met by them.
Policy cannot just be set by IT though.
To me that should be done at top management level and before it starts said managers should have a good idea of how and whether the policy will impact their dept. That’s bound to be an iterative process and will be subject to review anyway.
IT certainly can and should make recomendations about policy as should every other department.
Over here the process is to put mechanisms into place to review current policy and to be able to adjust it to meet the business needs. Anything else is the tail wagging the dog.

IT Policies and procedures must be a collaboration.

In reply to Who should write Policies and Procedures?

IT Policies can be written by an administrator, but there must be a collaborative exercise, involving all areas of the networks users, IT departments must NOT determine policy, this must be a company wide discussion, if it is done badly, the users will feel that the IT department or management are too oppressive, and restrict what they are trying to achieve for their company or department, the policy may also be counter productive if it is not strong enough and if breaches of policy are not policed or action is not taken against those that disobey the rules of use!

This calls for Collaboration

In reply to Who should write Policies and Procedures?

To get the mix right, the policies need to be formulated by the Management where as the Procedures which are put in place to implement the policies need to come from the System / Network Administrators.

Inputs from the end users are a must to make sure that the Policies and Procedures laid down are workable.

AUP development

In reply to Who should write Policies and Procedures?

I would say, technically, the IT Manager should do it. However, his job is to delegate his duties to his employees.
I work for a School District, so we have the ability to form a Committee geared towards Web and Interenet usage. We accepted the task of updating our current AUP (Acceptable Use Policy). Took us about 2 months, but it would have taken longer if we had made one from scratch. We lucked out abd found an AUP that other compnaies and school districts have used and taylored it to our needs. Of course we got permission from these people 1st.

Let the Routers route like the writers write

In reply to Who should write Policies and Procedures?

IT Policy should be a task of an internal qual. team or person. This should also be in line with whatever industry standards you follow- It may CFR 21 part 11 it may be HIPPA it may be ISO- if those dont ring a bell maybe we should look at SOX- one of these will require you to spend some time developing a set process – or procedure or spend time filling out a check to a angry auditor- there are many companies that can take care of this for you. Stelex Inc. Bensalem PA .
Thanks and good luck —

Both should be involved

In reply to Who should write Policies and Procedures?

My experience shows that most admins get trained to apply Group Policies At the server/domain level. The application of these domain level policies can reflect the Compuuter use Policies of the Organization. Much interpersonal networking occurs in these NetAdmin classes. This sends the newly trained admin off with a broad exposure to why and how other organizations implement policies.

One would hope both the admin and the IT manager have been through this industry standard training and are on the same page about usage policies. In my position , my mission is to protect our data and make our network manageable with as limited staff as can be. Other organizations will have different objectives.
The difficult part is dealing with people of power that have no indoctrination to a corporate computing environment. Their attitude ,in most instances, is that since they have used a computer at home that they are qualified to interject that level of computer usage into opinions powerful enough to conflict with, or over ride, established policy. In this scenario dealing with “where is my control panel?” or ” sending this joke email via the global address list cant be harmful” is a frustrating issue to overcome .

IT and HR

In reply to Who should write Policies and Procedures?

I think that the IT department should be responcible for drafting a policy. The HR department (company) should be responicble for publishing the policy to users. So that it becomes a company procedure and not just an IT dept. policy.

IT should advise on the policy

In reply to IT and HR

in business terms just as HR, operations and whoever. Then the policy gets cascaded down and implemented in a more specific form by each department in the business. IT policy often conflicts with business requirements, so you need buy in in order to implement.
I worked at place where it was policy to completely lock down the workstation, IT(services) applied this to the devlopment department as well. Operationally and therefore business wise this was a total non-starter and it got changed after a lot of arguing.
Course some wet behind the ears network admin categorizing me as a dumb user didn’t go down too well either.

IT does not know enough about the business to make decisions and business doesn’t know enough about IT. So IT policy has to be a collaborative effort or one or the other is likely to suffer.

Policies are a group effort

In reply to Who should write Policies and Procedures?

Policies and Procedures should be created by the IT Staff, IT Management and the Management Team in the office.

Think About the Reality of Policies

In reply to Who should write Policies and Procedures?

When you look at the long-term impact of policies, and the fact that most people read them once (if you’re lucky) and then forget them, the best bet is to buy a book with boiler-plate policies. If needed, you can use the canned policies as templates and customize them to suit your needs. Pass them to management for approval then file them in the cabinet next to The Lost Ark and get back to business.

Unless you have strict enforcement, which in reality I’ve rarely seen, it’s not worth the worry to sweat over writing the policy.

what if you are both….

In reply to Who should write Policies and Procedures?

In a smaller facility that consolidates many job functions and blurs the lines of job descriptions, who should write it then? There are several different resources like Techrepublic and Sans.org that help with a template or frame work to get started. It is trying to get the Administration and the staff to adhere to the guidelines without taking to the hallways in a angry horde.

Open Ended vs. Mosaic Law

In reply to Who should write Policies and Procedures?

Our company has decided that we need an open ended Policies and Procedures plan so that, as our user demands change, we do not have to go through so much red tape to make even minor changes go live. Our policy before that was like the Mosaic Law. Set in stone by management, it felt it would take a thousand years to change, and that only God himself would be able to give the order. In the end, a simple meeting between department heads using my suggestions as network administrator, and bang!!!, now we have an effective policy that allows changes when necessary, and a clear understanding of what is and is not allowed accross the board.
Yup…It’s nice working for a company with less than 200 users.

One man show

In reply to Who should write Policies and Procedures?

Unfortunately, sometimes in smaller organizations, such as in my situation, the net admin and IT manager are the same person. In my opinion, however, it is the IT naagers resposibility. I mean, that is why their jos exists to begin with.

Policy should be reveiwed by legal and HR

In reply to Who should write Policies and Procedures?

In addition to a peer review of the policy by technical and managerial staff, if the policy has legal raminfications, such as termination for violations, it must be reviewed and approved by Human Resources and legal. You don’t want to find out you’ve written a bad policy in court.

Problems of system design

In reply to Who should write Policies and Procedures?

A system is a system is…. Policy and procedure amount to a system. Who are the users of the system, and what do they need for efficient working? Microsoft provides a how not to do it example. It can take an extreme amount of time to find an answer to a simple question. I think a team is almost always needed for a system design of much importance and/or complexity, and should include management, implementers, aand users.

No, I never was an IT person, but I have been involved with systems design and development for some 30 years, from strategic weapons systems to fire control systems to pest management. Lack of adequate user involvement is a good way to kill a system.

Suggest a comittee

In reply to Who should write Policies and Procedures?

While I am normally not a fan of decisions by committee, this is one case where I have a lot of experience as a consultant, and have found that the committee approach is much more likely to produce a realistic policy than a top down approach. As such, what I recommend is a committe which includes 1 or 2 user reps, the network admin, at least one rep from the VP level, a rep from legal, and the IT manager. This need not be time consuming or complicated, but by having all these members, it insures all perspectives are adressed. I find that once the base policy has been created, the maintenance of it can be done with a simple 1-2 hour meeting every quarter, with the occasional “emergency meeting” if something comes up which is unexpected and turns out to not be covered. As for who should chair this meeting, it is my opinion that the IT Manager is ultimately the one who should be responsible as they are in the best position to understand the majority of points of view.

The Boss, but……

In reply to Who should write Policies and Procedures?

As a former CIO, it was my responsibility to set policy, and I did. It was the CEO and Board of Directors responsibility to approve the policies and make them enforceable, however (and this is important) a good manager will probably delegate writing of all or part of policies that specifically deal with IT operations to the people in charge of implementing the policy. Why?

Would you want me telling you how you have to do your job when you know best what would be workable on a day to day routine.

I can, but I trusted the various managers and admins to have a better grip on the nuances and details so they could write the proceedures they could live with.

Its all well and good to have a policy, but without workable procedures it won’t (and possibly can’t) be followed.

Delegating all or part of the writing is also a way to develop soft skills in key staff you may be grooming for advancement.

Right, like they’re two different people

In reply to Who should write Policies and Procedures?

Just weighing in from those people who are the one person IT shop for a small company.

multi-phase situation

In reply to Who should write Policies and Procedures?

Seems to me the question should be broken into 2 parts: policies and procedure development.
Policies are specifically business decisions. They describe WHAT needs to happen.
Procedures are IT decisions. They describe HOW something is to happen.
Your question does not describe the problem being addressed; the type of product being implemented, but there is a bigger issue. How do policies and procedure inter-relate?
A model for writing the policies requires a business analyst working with an IT analyst and associated stakeholders, or some similar level of expertise. This allows for the business unit to drive the architecture of the IT model.
The procedure requires the IT analyst to work with the business analyst, but also all of the stakeholders effected by the procedure. This drives the decisions on which equipment to buy, or build, based upon the needs of the business.
Physically writing of the policy belongs in a realm outside of the asked question. Physically writing the procedure should be left to the analyst most familiar with the day to day application of the procedure.

Who should write Polices and Procedures?

In reply to Who should write Policies and Procedures?

It would seem to me in the IT arena that the IT Manager
would be the one to be responsible for writing and
updating Policies and Procedures. IT Admin have their
hands full with various projects that would clearly take time
away from the actuality of sitting down and constructing
policies for network and computer use. The IT Manager
oversees the ongoings of the day-to-day operation. Being
the case, he is able to report on how things are going,
necessary improvements, IP address assignments, etc.
Because the IT Manager plays a vital roll, the purpose of
keeping within the guidelines of computer use, as stated,
the IT Manager should be responsible for writing the
Policies and Procedures.

The Network Admins W/Tech Writer

In reply to Who should write Policies and Procedures?

Hi,

I am both a network admin and technical writer, and don’t think that outside people always know what is going on within the company. . . so, if you have the ability to intereview the company executives to find out what their specific needs are, then you are the person to write the policies. . if not, then the next best person suited. If you come from outside the company, then the company’s mgt must make themselves available for interviewing, along with the admins to bring their needs together for this to work. There are also security requirements that neither of them might know, and an outside person will see this and help them implement the different needs into their structure so they have a more wellrounded design for the policies and procedures for the company. Many internal people have never been educated in all of the different areas to be covered.

We included Legal Dept.

In reply to Who should write Policies and Procedures?

Working for a large, religious non-profit, our team included the legal department. Their perspective in protecting the organization from liability played heavily into the design of our policy manual. They also had the wisdom to make the policy broad in order to make it’s implementation flexible.

The downside of the broad approach is that I (lone IT Mgr. supporting 125 users) now find people violating the policy because they don’t see how it applies to real life. Consequently, I am crafting a document called “Policies in Practice” with the help of my Director and his boss, the COO. This doc can be flexible and can grow and change as the environment changes, which is quite frequently.

In any case, it’s essential to get buy-in from the top stakeholders. Otherwise, the policy will carry no authority.

I was a Legal PM

In reply to We included Legal Dept.

I was a PM for a legal department. I think that it’s great for the lawyers to get involved, this way you know you have the proper language. The only downfall to this is that because lawyers are usually so busy, IT policies usually get pushed to the side and attorney has a draft policy sitting on their desk that they are dying to pass onto whoever the new lawyer in the department is. I think that it takes someone involved in Records Management, Legal and IT to really sit down and do this the right way. Forming a task force with these three departments is the ideal answer, but without a corporate sponsor pushing, the team usually falls apart after a few meetings.

I’m trying to go to law school now so that I can officially work with companies to address their issues regarding IT policies in large corporations because I know how tough it is trying to deal with attorneys who know nothing about RM and technology.

Someone who can relate the policy to the audience

In reply to Who should write Policies and Procedures?

The most important thing is to ensure that the policy can be readily understood by the target audience. Many of us in IT are so tech-focused we can’t translate what we want into layman’s terms, leaving the audience without a clue. Policies aren’t much use if no-one can understand them. As long as the writer has the skill to translate jargon into layman, and management approve the policy, it doesn’t matter who actually puts fingers to keyboard.

Policy Management

In reply to Who should write Policies and Procedures?

Policy is generally considered a management function. In the formation of a Security Office (I prefer the name Integrated Security Office Program- ISMP), it is one of the three management areas that have strategic importance: Policy Management, Project Management (Portfolio Management, PMO, Program Management and Project Management at the Operational organizational level) and Risk Management. IT Security or Risk Management Policy is involved with the 10 areas of security as defined under the Common Body of Knowledge, ISO 17799, NIST 800 or DITSCAP. You can not control a function if you have not defined it, managed the processes and implemented the technology. Hence, Policy is made up of the areas of Knowledge Management, Process Management and Technology Management. Each of these areas have their “experts”. Policy must be managed centrally, but management could and should reach out to individual experts in these areas who have the knowledge, the process control and the technology knowledge who can define who, what, when, how and the why of policy. The technical people know the limits (constraints) of technology, the project managers know the process and everyone has knowledge of how policy should define and control certain aspects of the world that they live in. It is also a business function. Policy is not written by any one person, but is developed as a continuing process over a period of time. You can’t buy policy.You have to develop it like you would a computer application. It is something that fits the organization, the people, the processes and the technology that you are working for. It is truly a group effort.

From an National Security Agency 4011 certified Security Services Project Manager that routinely writes Policy.

Most of all, remember that policy is a process.

Reply To: Who should write Policies and Procedures?

In reply to Who should write Policies and Procedures?

Network administrator should enforce only. Should report violations to one person only for action. Network administrator should receive confirmation of every reported violation.

Policies/Procedures should be generated by top management in consultation with the legal advisor. Network Administrator and IT Manager should advise this committee.

Depending on the staffing issue

In reply to Who should write Policies and Procedures?

With our organization, I wear many hats. There is no one else that is available to write policies. As of right now I am working the HIPAA Security Update that is due April 21, 2005. This is a real job and I trying to get templates from sources to help with this process.

Tech Writer

In reply to Who should write Policies and Procedures?

In our organization, we have choosen the tech support staff to do the writing, the administration to approve, and the english department to do the editing. I do work for a school, so it helps having all types of people to work with. If we had unlimited funds then bringing in a tech writer to work with IT staff and school administration would be the most prefered.

Writing IT policies and Procedures.

In reply to Who should write Policies and Procedures?

In my opinion and experience it should be the IT Manager , because is the position that has a more complete vision of the IT department and has the total responsability of IT in the company.

Remember the policies will tell every body what can be done or not. So they will have to be approved by the Management who also approves the general policies.

The procedures are more relared to the operational side ,it means that they have to be developed by all the people involved in the process to get the maximum quality of the final service or product. Normally, they are developed having in consideration the related policies.

The procedures can be approved by the IT manager.

If you need further assistance let me know,

Bari.

[Author]

Replies