Policy altitudes and ecosystem
These altitudes helped me understand where policies fit in the larger picture. Your organization may see this differently, but my advice for you is to really understand your terminology. Your ecosystem could look completely different from mine.
Step 2, Understand Key Practices and activities
My second task was to determine HOW I was going to set up the practices and activities within a policy framework to analyze and assess maturity. I decided to make my own guidance using the COBIT format. As you can see below, we have key practices supported by activities. I used these as a basis for my evaluation. You might think of these as control objectives. Of course, this is not an exhaustive list, but it provided a basis for my understanding of what should be accomplished.
Practice 1. A policy framework is documented, approved, and enforced
a. The policy framework includes dependencies and interrelationships with all other enterprise policies.
b. Appropriate KPIs are created for policy management and are tracked, monitored, reported and acted upon.
c. The policy framework includes a central system of record repository that is considered the source of authority for the enterprise’s policies and procedures.
d. The policy framework includes a mechanism for monitoring internal and external factors that may require policy framework modifications.
e. The policy framework aggregates and reconciles compliance with multiple regulations and requirements, the policies that result from them, and the processes that ultimately monitor and control them.
Practice 2. A policy lifecycle management system is approved and recognized
a. The processes for drafting, approval, implementation, continuous monitoring and retirement of policies is defined and adhered to.
b. Policies are developed in consultation with key stakeholders.
c. Ownership of the policy should be clearly identified and administration should occur collaboratively.
d. Changes and modifications to policies are subject to the enterprise governance approval process.
Practice 3. Policies are communicated and distributed to all stakeholders
a. Policies are published and distributed to all stakeholders, including employees and business partners whose actions they govern.
b. Policy training and awareness is conducted.
c. There is an established process of communicating changes to appropriate stakeholders, owners, and applicable practitioners.
Practice 4. Policies are monitored, enforced and maintained
a. The policy framework ensures that verification and validation of stakeholder training and understanding are an integral part of policy management.
b. Organizations should assess the level of non-compliance with any given policy to determine whether the policy should be amended or left in place without notification.
c. Compliance is monitored and violations investigated and addressed.
Practice 5. Technology is used to support the policy framework
a. A common technology platform is used to consolidate enterprise policies and procedures from various departments.
b. The most recent and approved versions of all policies and procedures should be stored and managed through a centralized policy repository.
c. Enterprise policies and procedures are readily available to all stakeholders, owners, and practitioners.
Practice 6. Each policy should meet good practice criteria
a. Policies have a purpose statement, owner or appointed steward.
b. Policies must be clearly aligned to an organizational principle or desired behavior.
c. Policies must provide references to any specific laws, regulations and standards they are intended to support.
d. Policies are linked to enterprise risk appetite and internal controls.
e. Policies must include scope, validity and an effective compliance date in which adherence will be monitored and enforced.
f. Policies must include consequences for failure to comply.
g. Policies must include escalation procedures for handling exceptions.
h. Policies are reviewed and approved on a consistent basis or updated as necessary.
i. Internal and external stakeholders are identified.
j. Policies should be effective—they achieve the stated purpose.
k. Policies should be efficient—they ensure that principles are implemented in the most efficient way.
Although the practices and activities identified above may need some updating or consolidation, they are a great start to determine the requirements for your policy environment and are not dependent on the size and type of organization. As far as I know, this is the first set of publicly available ”control objectives” for policy assurance in our industry today – so it’s a work in progress.
Step 3, Determine a consistent approach to measuring and assessing maturity
There is much confusion right now about maturity and capability models. As of this writing, I have not found a definitive resource to assist in assessing and rating the level of maturity for a policy framework.
My next step was to create a maturity model for the policy component. Since my client was asking for an assessment of their policy framework maturity, I chose to turn to CMMI to help me with this. Stay tuned, that is the subject of a future blog post.
Conclusion
The scope of this blog post is the policy framework associated with the enterprise’s governance over enterprise information and technology, not the entire organization. What you have just read is what I believe to be the first set of potential control objectives for policy frameworks. As mentioned earlier, they may exist somewhere but I couldn’t find anything clean and concise so I made my own based on many different standards, bodies of knowledge and client needs.
Look out for an upcoming blog on how to create a maturity assessment of your policies soon.
Recent Comments