Takoma Tech
Technology for Humans


IT policy development

What is IT policy?

  • Rules of the road: what behaviors/actions are expected or forbidden

  • Can apply to staff, board, vendors, other constituents

What are some IT policy examples?

  • Who has rights to access which data

  • How often data are backed up and how long they are preserved

  • Whether and how IT resources are accessed outside the office

  • Whether to require security training and what sanctions there are for noncompliance

  • Whether and how often to perform security/risk audits

Why is POLICY Development difficult?

  • Must be based on actual risk, which is – itself – a complex analysis

  • Nearly inherent trade-off between security and convenience: need balance to allow the work of the organization to proceed without unnecessarily elevating risk

  • Policies must be acceptable and accepted (promulgating policies that won’t be enforced or complied with kills respect for all other organizational policies)

  • So, setting policy must be based on deep understanding of organizational culture

  • Must determine what carrots and sticks to employ

  • Must determine whom (if anyone) to exempt from one or more policies and/or must determine which policies apply to which classes of individuals and infrastructure

  • Must consider what-if scenarios, crisis-communication plans, and roles/responsibilities

Where do we start?

  • Conduct cybersecurity and risk audits, including:

    • Gather all existing policies

    • Determine gaps between the current state and desired state

  • Meet with a variety of key stakeholders (including junior staff) to understand existing work processes and to gather cultural insights

  • Suggest policies in a draft document and gather feedback

  • Produce final recommendations and present to organization

Let me help develop IT policies for your organization or business.