IT Governance (Policies and Procedures) Development
Directive controls (IT governance)
There are four types of business and / or IT controls that should be implemented by management. These controls are preventive, OR detective and corrective controls as well as then directive controls. Directive controls are basically (written) instructions from top management on how to enforce preventive, detective, and corrective controls.
Policies are written instructions, providing statements on “we shall, or we shall not”; procedures are authorised steps to be followed to give effect to policy directives, and standards are specific parameters (obviously business or industry dependant), enforcing a certain level of standards (e.g., certain password settings).
Directive controls, namely policies, procedures, and standards (i.e., in essence corporate and IT governance) are considered a core principle in IT security and data privacy governance. It will be understood by courts as the bare minimum that an organisation should do. Without these directive controls in place, an organisation might be perceived as negligent by a court.
From an IT perspective, an organisation needs IT security and other relevant IT policies for:
- IT users (administrators) – including for IT service providers.
- Normal users on the business side.
Futura International normally follows the following process in order to implement IT policies, procedures, and standards:
- IT risk assessment and IT risk register compilation.
- IT risk register alignment with an international best practice IT framework (i.e., a selection of mitigating IT (preventive / detective / corrective / directive) controls).
- Data privacy IT governance implementation – develop directive controls (policies, procedures, and standards).
Minimum IT policies / procedures / standards
- Information security policy (covering multiple topics and governance areas).
- Physical security policy.
- User access management policy.
- Acceptable use policy.
- Cloud computing policy.
- Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
- Clean desk policy.
- Policy on data privacy risk assessments.
- Policy on data classifications.
- Back-up policies and procedures.
- Change control policy and procedures.