Why the need for IT Policies?

In most organisations, there are a set of policies, or a single policy relating to IT. This is usually done to make sure the auditors can tick the box or a realization by the controlling board or management that Corporate Governance includes IT Governance. Larger organisations go through cycles of realizing the importance of IT policies, to where they realize that the policies have not been updated or reviewed for a few years. Usually this is driven through focus of senior management – when an IT savvy person in a senior position champion it.

The question is, why do we need IT policies at all? Can we not just make sure that IT “works”? Has IT not become a commodity, like electricity? Maybe the fact that computing has been so entwined into the everyday functioning of all our personal and corporate lives that we think it is all around us, and so much part of us, so we don’t need to police it with rules and regulations.

This is precisely why the rules need to be set out. IT is so integrated that we do not realise that without specific limitations put on it, it can be massively abused and used for nefarious purposes.

IT Policies is the start of this process. The house cannot be built without the foundations, and if the foundations is not in place, the house will crumble. For an organisation to have a well-functioning IT system, solution or backbone, the policies ensuring the rules have been set, must be in place and up to date.

In most organisations, the primary driver for IT policies to be in place is IT Security. Techopedia describes IT Security as follows: 

“Information security (IS) is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions”, and Wikipedia has the following definition for Computer Security: “Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

As a basis then, any organisation should decide what the rules are to protect their IT systems from being open to people that want to do them harm. “Harm” in this sense is very broad. It might be defined as anything done to the business that they don’t want done to them. This can include theft, sabotage, espionage, etc. Once the business has decided what they want to do to protect the IT system, this can be codified and standardized in a policy.

The key factor here is the ground-up approach. What is the goal? Write it down, then do it… This is where most organisations do it backwards. The IT staff know what they must do to protect the IT systems. They have been doing it for their entire career and it is instinctive. The management/ CIO/ Governance personnel know that there must be polices, so they buy/ write them, but there may not be synchronization between the two. In an ideal environment, the two parties will come together and ensure that the approved policies are in place, and then the IT security processes and procedures will be built around that, however this very rarely happens in practice.

As an alternative solution, the owner of the policies should make sure that the ideas and requirements of the organisation as a whole (management) are in line with what is being done at the coalface (the IT shop). This should then be codified, approved and formally implemented as an IT Security Policy.

Here we come to the start of the IT Policy journey. As soon as the Policy has been codified and approved by all the relevant parties, the process to make sure that everyone in the organisation knows about the policies can start. From this policy then the Standard and Procedures can be created.

Policy = Why Do I Need To Do It? 
Standard = What Is Required? 
Procedure = How Do I Do It? 
In addition, Guidelines can be created as recommendations or best practices.

As a follow-up, I will talk about the rest of the IT policies that may be needed, as well as the fact that specific IT policies are not required by law, and why that is.

In addition, I will touch on the following topics: What are the ideal IT policies for your organisation? How do you communicate the policies? And more.