IT Policy Help
June 21, 2011 3:18 PM   Subscribe

Off the top of my head:

"What constitutes a good policy?" (Length, format, structure, etc)
"What policy frameworks have you worked with before? What were the advantages and drawbacks?" (In my world, you might hear about COBIT or ISO 27001)
"How should policies be tiered or structured?" (For example, for me, disposal of hardware isn't a policy, it's a standard. Policies are high level, approved by the board of directors, and rarely change. Standards adhere to the policy but provide specific direction on how to perform tasks in a compliant manner.)
"How should policies be approved and how should acceptance and adherence be tracked?"

If your consultant does this for a living, they probably have a big book of policies they're going to do a search-and-replace on to insert your org's name. Will this be OK? Try to get an idea of the amount of time they expect to spend on a particular policy. Who are the constituents they would expect to work with on a Document Destruction policy, for example.

Your policies should be a informed by your org's mission, balancing industry, regulatory, and other requirements. Is the consultant familiar with the regulatory requirements and industry best practices you'll be expecting to work against?

Finally, how will you/the consultant track the change and approval of policies? Paper docs with signatures? Word docs on Sharepoint? A GRC tool like Archer?
posted by These Premises Are Alarmed at 4:10 PM on June 21, 2011

I came in here to make some suggestions, but has them down comprehensively. Just remember if you want someone who will understand the Business requirements, IT Capabilities and regulatory requirements and then frame a policy for approval or if you want someone just to write the policies against a framework, while the decisions are made by someone else.

From my perspective, it is extremely improbable for one person to do the former, since they need too many skills. Usually, a core group from Business and IT makes the decision and the consultant writes them in accordance with a framework.

Oh, and don't hire someone who expects to do it all alone or provide a ready made set of policies. Also, don't hire someone who does not pilot the policies in a limited way before rolling them out unilaterally.
posted by theobserver at 4:19 PM on June 21, 2011

"How do you go about developing an X policy for a new organisation?"
"Who in an organisation would you consult with when developing a new X policy?"
"How would you ensure that a new X policy can be implemented effectively?"

While the consultant is unlikely to be responsible for implementing the policy, it needs to be something that fits with existing processes or at least clearly identifies changes in processes that can be implemented effectively. No point in hiring someone who can write a fantastic policy based on templates, that just won't work in your organisation. Understanding of the context in which the policy will operate and a willingness to engage with the business in developing the policy is essential.

(And everything else that These Premises Are Alarmed mentioned)
posted by finding.perdita at 4:24 PM on June 21, 2011

It seems like there might be two kinds of "policies" that are being conflated here. Some of these aren't really policies, but are really more like standard operating practices and procedures for an IT department. That would be stuff like "here's where we sell, donate, or recycle old hardware" or "here's who gets administrative access to which servers." The others are more like traditional policies that apply across the organization, including such exciting topics as "everyone gets a new PC every three years except for the engineers who get new ones every 18 months" or "employees in these positions/levels get smartphones and must follow these rules about personal use" or "employees may not use company laptops to download and/or view pornography unless such use is directly work-related and approved by their supervisor" (try developing a web browser and you'll find yourself needing to visit some interesting sites on occasion) or "client data may only be stored on the intranet and never on the external web server," or of course the perennial favorite "you may not use the word 'password' nor 'password 123' or 'password321' as your password." I'd try to clarify which of these you're looking to develop, as the processes involved can be quite different.

Personally, I'd want to ask a lot of questions that get to their ability to quickly come into an organization and to understand its dynamics and needs. What do they like to do when they first start? Who do they like to talk to and what do they ask? If your consultant doesn't have these skills or doesn't choose to use them, you'll get some cookie cutter policies that don't help you very much.

Some other questions to consider:
- Can you tell me about some situations where you've gotten a lot of opposition or pushback on a policy issue and describe how you handled that process?
- What practices have you used in the past that have been particularly helpful in rolling out new policies successfully and for training everyone involved on policy matters?
- Take me through the process you like to use when developing a policy. Who do you talk to at what stages of the process?
- What doesn't work and/or what is more trouble than it's worth? What initiatives have you seen fail and why do you think that has been the case?
- How can you decide when policies should contain more flexibility and when everything should be strictly defined with few exceptions?
- What shouldn't be a policy? How do you know how much policy is enough?
posted by zachlipton at 5:01 PM on June 21, 2011 [1 favorite]