Compliance Policy Development

Given the scorching pace of new industry and government regulations, even well-prepared IT groups are on the defensive. We all know the best way to stay out of the hot seat is to develop a comprehensive set of policies to address threats, but that's easier said than done.

Reams have been written about how to comply with specific regulations, but there's still widespread FUD. Consultants feed on the FUD, as do manufacturers of policy and procedure application---essentially document-management software with a bent toward policies. Every vendor wants us to believe its product is the magic bullet for keeping on the right side of regulators.

Let's acknowledge up front that no application, consultant, industry group or magazine article can fulfill your compliance policy needs because, simply, no outsider grasps the nuances of your organization. In our Policy Workbooks, we'll get you started with the information you need to set policies in red-hot areas that most firms should address sooner rather than later: Mobile and wireless, data protection, e-mail retention and e-discovery. Here, we explain how to get a policy initiative off the ground.

The ability to take the risk-management approach required to build a comprehensive policy set and use industry frameworks effectively may not come naturally to IT pros, but it can be a lucrative and salable skill: Salary.com pegs the median salary for a U.S. corporate compliance director at $99,088, and a Gartner survey says 75 percent of organizations have at least one IT person dedicated to compliance management. Seventy-six percent have an executive-level compliance office or governance council.

Better Regulate Than NeverHIPAA, GLBA (Graham-Leach Bliley Act), SOX (Sarbanes-Oxley) ... all have been around long enough that IT is finally getting a handle on what it means to be in compliance. And it's not just governments driving this trend; one of the latest policy drivers is the Payment Card Industry's Data Security Standard.

"Most companies are more concerned with PCI than they are the government regulations," says Joe Filer, director of corporate security for RackSpace. "You've got to be able to take credit cards."

Still, if you haven't updated your processes and policies in a while, figuring out where to start is a daunting task--the landscape covered by regulatory drivers is vast and varied. This is where risk management and prioritization come in, assessing which threats pose the greatest risks to your enterprise versus identifying low-hanging fruit that can be quickly realized by appropriately selected, crafted, enacted and enforced policies. (See our Strategic Security guide to Risk Assessment.)

Of course, good policies provide benefits beyond regulatory mandates. A policy specifying that infrastructure upgrades be followed by simulating end-user transactions, for example, contributes to your bottom-line uptime as perceived by users. Shops with sensible and effective processes and policies built into their DNA are likely serving the business well and are in less danger of being marginalized or outsourced; more on how to move the policy from paper to personnel in "What's In It for Me?," below.

Help Is Out ThereThe best practices frameworks various industry associations have assembled are an excellent way to get broad guidance--maps, if you will, to core functional areas that will let you eat the elephant a bite at a time.

Good examples include ITIL (IT Infrastructure Library), ISO 17799 and COBIT (Control Objectives for Information and Related Technology). None of these is free, but plenty of books for under $100 describe them in enough detail for you to get started.

For example, ITIL breaks IT service delivery and support down into "back room" versus "front room" processes (see "Understanding Best Practices Frameworks"). ITIL defines "service support" as ways IT interacts with users, versus "service delivery," which are ways IT manages infrastructure.

By reviewing each functional area for your department or organization, you can start brainstorming with your team about risk levels, then take a targeted approach to what policies must be built. We recommend giving yourself numerical grades based on framework criteria: Say you do a good job at the service desk category, and in fact, most of your front-room processes are at 80 percent or better, but you know your change management needs help--your infrastructure team is willy-nilly about the way it implements changes to the network, and this sometimes causes downtime or places the organization at risk.

The ISO 17799 security framework has been described as a backbone. "It described where we were deficient, where we needed work," says a security manager at a financial organization. "I think building around that kind of framework really works, because it cuts across every industry, every compliance requirement, but is also customizable to your business."Ron Muns, founder and CEO of the Help Desk Institute, a vendor-neutral IT service and support group, says basing policy planning on a third-party framework can also reduce the churn that occurs with personnel changes. Every new IT manager wants to put his or her mark on the organization, but it's difficult to communicate when the new CIO calls agreements with vendors "SLAs" while staffers and policies refer to "operational-level agreements."

This common-language issue resonated with the execs with whom we spoke.

"ITIL is becoming more and more useful because it allows us to communicate in the same language," says John Engates, CTO of Rackspace. "Security and compliance can be a foreign language to other employees, and having a common framework really helps everyone align."

Siren's Song

There's a lot of interest in buying policy and procedure software, even outsourcing policy development. Tools such as IDS' PowerDMS or Policy Technology's Policy and Procedure Manager are essentially document-management and workflow products--good stuff, and relatively inexpensive to test out; licenses for Policy Tech's product, which provides structured management of documents, start at $1,095 per user plus $197 annually. But again, definitely no silver bullets.Whether you choose purpose-built document management software for policies and procedures, you'll still need to do an assessment of your organization's potential risks and benefits, and then generate and edit the policy. Sure, policy and procedure software can do a good job of centralizing document approvals, but so can a free Wiki. Be suspicious of software that claims to have lots of templates "perfect" for your organization.

"Like politics, all policies are local," says Jim Kennedy, vice president of IT at United First Federal Credit Union. "They are a guideline at best. I use [policy and procedure apps] as a background briefing before I write the real policy." When we spoke with Kennedy, he had just finished revising the latest version of the financial institution's disaster-recovery policy set, and he pointed to the example of how the risks of his mid-state branches are different from the coastal areas, saying, "Not everyone needs to do tsunami planning."

For broad-brush compliance, a hosting service provider can step in. "A lot of midsize companies can't do their own buildout of a security or compliance organization--they don't have the financial or human resources to deal with it, so they look to third parties," says RackSpace's Engates.

If you do go with a provider, be clear about parameters. Even RackSpace, the hosting provider we spoke to for this article, admits its services are no panacea.

"From the perspective of the security interface, it's important that we establish where hosting company versus customer responsibility stops and starts," Filer says. "This is one of the hardest things because you have to look at the overall business." Translation: You have ultimate responsibility for your organization's compliance.If you decide to bring in outside help, choose a consultant with deep experience in your industry. This is not the time for on-the-job training as someone tries to become expert in your business' policy requirements.

The Kindness Of Strangers

Industry associations, think tanks, listservs and public universities can be gold mines for policy-generation efforts; when you can't find a broad template, a thoughtful cut, paste and modification of someone else's policy can be easier than starting from scratch.

"Policies is one place where plagiarism is totally OK," says Joe Filer, RackSpace director of corporate security.

We agree, as long as you choose intelligently and customize for your organization. Typically, publicly posted policies have been "sanitized," so specific organization identification is removed from the policy.

The SANS Institute think tank provides policy templates to the public, while the Help Desk Institute's templates are available only to paying members. "HDI has an interactive library that allows folks to upload and create Wiki-type documents, so that it can grow in value over time," says Ron Muns, HDI's CEO. Someone might start a document containing best practices for automated password resets, and someone else might finish it.Look to groups with specific subject matter (for example, check out SANS for security policies and HDI for service and support policies), rather than simply Googling--you're more likely to find a quality, vetted policy through specialized organizations.

On the other hand, if you need a policy relevant to your industry, check industry IT user groups and listservs rather than groups that cater to various IT subject areas. A policy on bank auditing of automated deposits to your PeopleSoft system, for example, would be better found though a banking group than through a site that deals with PeopleSoft.'What's In It For Me?'

"Leadership is the art of getting someone else to do something you want done because he wants to do it." --Dwight D. Eisenhower

As anyone who's spent time in enterprise IT can tell you, gaining upper-management support is just the beginning. Unless you win the hearts and minds of your end users, you might as well use your policies to wrap fish.

If a policy is important enough to develop, why not disseminate it in person? Get out of the data center and explain policies to employees. Sure, this is resource-intensive, but it communicates urgency and allows for dynamic question-and-answer sessions.Making employees part of the process and putting your money where your mouth is also increase buy-in. Listen to end users' thoughts about policies, adopt sensible ideas and give credit where due. Many companies have reward programs (sometimes through Human Resources) that provide a monetary bonus for the implementation of an idea that helps process or efficiency.

But it's not just about rewarding employees; it's about tying policies back to their self-interest.

"A concept that really works is, 'What's in it for me?,'" says Joe Filer, RackSpace director of corporate security. "It's important to translate your management objective into an employee benefit." For a password policy, for example, remind users that weak passwords open them up to the possibility of impersonation on their work accounts. Keep employee feedback in mind when you're going final on a policy, and be willing to adjust so you gain that crucial mindshare. This avoids a false sense of security and is worth the effort--a bad policy nobody follows may be worse than no policy at all.

Jonathan Feldman Is an nwc contributing editor and director of information services for the city of Asheville, N.C. Previously, He was director of professional services for an infrastructure consulting company. Write to him at [email protected].