1. CST 481/598 x.2

2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li

3.  Guide employee behavior  Enable accountability measures  Manage expectations (to an extent)  Ensure self-regulation  Protect information  Protect the company

4. Policy  High-level, brief  General requirements on a specified subject area  Tier 1, 2, 3  Standards  Mandatory requirements that support individual policies  Procedures  Mandatory, step-by-step actions to complete a task  Guidelines  Recommendations (not mandatory) to enable policy compliance  May provide a framework to implement procedures

5.  Overall vision  Address organizationwide issues  Fairly broad, brief, and general  Usually developed or approved by committee  Require little modification over time  Examples  Records management  Corporate communications  Business continuity planning

6.  Components  Topic with “Hook”  Scope  Responsibilities  Compliance and Consequences

7.  Specific topic or department  Address single issues of current relevance  Usually issued by a single senior official  Require more frequent updates  Examples  Electronic mail  Workstation security  Data access control

8.  Components  Thesis statement  What the policy addresses and why it exists  Relevance  Where, how, when, and to whom it applies  Responsibilities  Compliance  May be more specific than Tier 1  Supplementary information  Metadata; e.g., contact, ownership, revision dates

9.  Specific application, function, or system  May be issued by the system owner  Should derive from mission objectives  Business and application mission objectives  Proactive, not reactive  Format is more variable  Examples  Payroll and time submission  Web application server access

10.  Easy to understand  Visible  Applicable  Do-able  Enforceable  Phased in on introduction  Proactive  Diplomatic (avoid absolutes)  Supportive of the business objectives

11.  See if you can just change an existing one  Address the business objectives  Use the business language  Use the existing policy format  Write it well  Be succinct  Grammar and spelling matter  Be realistic (balance protection with productivity)  Consider the audience  Sell before and train after

12.  Policies state goals in broad terms  Standards define what to do in specific terms  Procedures tell how to meet the standards

13.  Standards should  Have management support  Be reasonable, flexible, and current  Be practical and applicable  Be reviewed and updated regularly  Ensure adherence to externally imposed standards

14.  Procedures should  Fulfill a real need  Does the task have to be completed in a specific manner?  Identify the target audience  Describe the task  Its purpose, scope, and goals  Any prerequisites to beginning the task  Describe the expected outcome

15.  Some possible components  Title  Intent  Scope  Responsibilities  Sequence of events  Approvals  Prerequisites  Definitions  Equipment required  Warnings  Precautions  Procedure body (the actual steps)

16.  Formats vary  Content, depth and specificity/generality