IT Governance (Policies and Procedures) Development

Directive controls (IT governance)

There are four types of business and / or IT controls that should be implemented by management. These controls are preventive, OR detective and corrective controls as well as then directive controls. Directive controls are basically (written) instructions from top management on how to enforce preventive, detective, and corrective controls.
Policies are written instructions, providing statements on “we shall, or we shall not”; procedures are authorised steps to be followed to give effect to policy directives, and standards are specific parameters (obviously business or industry dependant), enforcing a certain level of standards (e.g., certain password settings).
Directive controls, namely policies, procedures, and standards (i.e., in essence corporate and IT governance) are considered a core principle in IT security and data privacy governance. It will be understood by courts as the bare minimum that an organisation should do. Without these directive controls in place, an organisation might be perceived as negligent by a court.
From an IT perspective, an organisation needs IT security and other relevant IT policies for:
  • IT users (administrators) – including for IT service providers.
  • Normal users on the business side.
It is important to note that, according to best practice, “Business” has to drive governance, and not the IT department (or IT service providers). Business has to instruct the IT department what are the minimum requirements. In many instances the IT department has implemented some best practice controls by using either their own guidelines and standards or international frameworks. However, the details of every control implemented, has not been driven (and authorised) by business management. This is a high-risk, and we recommend organisations to address this as soon as possible to get compliant with the Protection of Personal Information Act (PoPIA).

The journey

Futura International normally follows the following process in order to implement IT policies, procedures, and standards:
  • IT risk assessment and IT risk register compilation.
  • IT risk register alignment with an international best practice IT framework (i.e., a selection of mitigating IT (preventive / detective / corrective / directive) controls).
  • Data privacy IT governance implementation – develop directive controls (policies, procedures, and standards). 

Minimum IT policies / procedures / standards

  • Information security policy (covering multiple topics and governance areas).
  • Physical security policy.
  • User access management policy.
  • Acceptable use policy.
  • Cloud computing policy.
  • Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
  • Clean desk policy.
  • Policy on data privacy risk assessments.
  • Policy on data classifications.
  • Back-up policies and procedures.
  • Change control policy and procedures.