What is IT policy?
Rules of the road: what behaviors/actions are expected or forbidden
Can apply to staff, board, vendors, other constituents
What are some IT policy examples?
Who has rights to access which data
How often data are backed up and how long they are preserved
Whether and how IT resources are accessed outside the office
Whether to require security training and what sanctions there are for noncompliance
Whether and how often to perform security/risk audits
Why is POLICY Development difficult?
Must be based on actual risk, which is – itself – a complex analysis
Nearly inherent trade-off between security and convenience: need balance to allow the work of the organization to proceed without unnecessarily elevating risk
Policies must be acceptable and accepted (promulgating policies that won’t be enforced or complied with kills respect for all other organizational policies)
So, setting policy must be based on deep understanding of organizational culture
Must determine what carrots and sticks to employ
Must determine whom (if anyone) to exempt from one or more policies and/or must determine which policies apply to which classes of individuals and infrastructure
Must consider what-if scenarios, crisis-communication plans, and roles/responsibilities
Where do we start?
Conduct cybersecurity and risk audits, including:
Gather all existing policies
Determine gaps between the current state and desired state
Meet with a variety of key stakeholders (including junior staff) to understand existing work processes and to gather cultural insights
Suggest policies in a draft document and gather feedback
Produce final recommendations and present to organization