Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009

ELEMENTS OF AN POLICY 2

policy Critical requirement for effective governance Provides broad policy statements Should be included in broader communications or IT policy Lots of references and examples available 3

policy elements Every organization’s policy will be different –Public vs. private sector –Regulatory requirements, both horizontal and vertical There are some common areas that should be addressed 4

Policy elements Purpose Scope Definitions Policy statements Procedures Responsibilities References 5

Purpose and scope This policy has three purposes: 1.Establish definitions relevant to the management program 2.Describe usage policies relating to 3.Describe security and technology policies relating to Scope: This policy is applicable to the entire enterprise. 6

Definitions Uncommon terms Common terms used in an uncommon fashion Acronyms and abbreviations 7

Acceptable usage Most common element of policies today Typically addresses things NOT to do: –Obscene language or sexual content –Jokes, chain letters, business solicitation –Racial, ethnic, religious, or other slurs May address signature blocks –Standardization, URLs, pictures 8

Effective usage Guidance on writing s –Wording and punctuation –Spell check and grammar check –Effective subject lines Guidance on etiquette Guidance on addressees 9

Personal usage Whether personal usage is allowed Any limitations to personal usage Separation of personal and business usage within individual messages Personal account access 10

Ownership and stewardship Whether is considered to be owned by the organization Responsibility for stewardship of messages, both sent and received Privacy and monitoring Third-party access 11

Retention and disposition is a medium, not a record type or series messages can be records –Subject to open records/FOIA, discovery, etc. Other information objects can be records –Calendars –Read receipts/bounces 12

Legal issues can be subject to discovery Assigns responsibility for communicating legal holds Describes whether or not disclaimers will be used and how May outline privilege issues 13

Encryption and digital signatures Outlines whether encryption is allowed –What approaches available for encryption Whether digital signatures are allowed –What approaches to use 14

Mobile and remote Most often found as part of general policies for remote workers Requirements for mobile devices Requirements for web-based access Synchronization and login requirements 15

Archival Addresses whether will be archived Addresses whether personal archives will be allowed May address backups – but backups are not archives 16

Security Attachment limitations –Whether they can be sent at all –Size limitations –Content type limitations Attachments vs. links Content filtering Encryption and DRM 17

Procedures Detailed instructions for complying with policies Each of the policy statements will have one or more procedures May be specific to process, business unit, jurisdiction, application 18

Responsibilities Responsibilities for policy development and maintenance Responsibilities for compliance with policy –Managers –Users –Specialist staff 19

References List any references used to develop the policy –Internal strategic documents –Records program governance instruments –Publications 20

DEVELOPING THE POLICY 21

The policy framework Approach to developing and implementing a policy Ensures that policy development is consistent with organizational goals Ensures that policy meets legal and regulatory requirements 22

1. Get management support Policy development requires time and energy from users and stakeholders So does policy implementation Ongoing compliance will require auditing and communication None of this happens without management support 23

2. Identify stakeholders Policy should address the entire enterprise Stakeholders should include: –Business unit managers –End users –Legal, RM, IT –External customers and partners 24

What changes are being introduced? –Processes, technologies What are the desired outcomes? What behavioral changes should result? Identify the goals of the policy

4. Conduct the research Legal research Organizational research Public research –Standards and guidelines –Benchmarking Consult with similar organizations Analyze the results 26

5. Draft the policy Collaborative and iterative process There are a number of resources available to provide an policy framework These are starting points and need to be customized for your requirements 27

6. Review the policy Review by legal, HR, users Ensures it is valid Ensures it will work within existing organizational culture Change management 28

7. Approve the policy Policy is reviewed by business managers, senior management Complete revisions as necessary Approve the policy 29

8. Implement the policy Communication Training Auditing 30

Monitor for compliance with policy Solicit feedback about policy Provide refresher training as required Consider whether to retain previous versions of the policy Plan for periodic review and maintenance 9. Once the policy is live 31

Questions? 32

For more information Jesse Wilkins, erm m, emm m, ecm m Access Sciences Corporation (303) direct Twitter: jessewilkins 33