During both the creation and subsequent audit steps, organizations must 'beware of shelfware'. Sounds clichi, but it's more important than you might suspect.
What must not come out of governance and operational improvement efforts is documentation that sits on the shelf, so to speak, and is never used except to prepare for audits. Of course, this applies to electronic documentation, as well. The point is that policies and procedures must be useful and accessible to the people who need them or they will not be followed.
This is one of the reasons externally developed policies and procedures cannot be transplanted wholesale. They must be 'tuned' for internal use.
From the very beginning of a governance project, great care must be taken to create policies and procedures that actually aid the organization. What comes of these projects must add value and not just needless layers of bureaucracy.
By using COBIT, ISO 17799 and/or ITIL, organizations have access to a wealth of knowledge developed by thousands of people over many years. By using one or more of these standards as a framework, the people developing the policies and procedures can better understand what needs to be looked at and can share best practices with people all over the globe through the Internet, books, classes and seminars.
Now, let's discuss means to document policies and procedures in the IT area.
For the purpose of this article, we'll assume that a risk analysis already has been performed and decisions made about the appropriate framework to follow and what needs to be done in order to address identified risks.
The first step is to identify the IT stakeholders who must be involved.
It is a fatal mistake to bring in consultants or buy pre-written policies and procedures and expect to just implement them wholesale without modifying them to work in your organization. Clearly, there are benefits to reviewing what others have done and leveraging that work to jumpstart your efforts. However, these policies and procedures need to be edited and refined to work in your environment.
With this in mind, the best people to do this are the people who actually do the work every day. Depending on your organization, you may create a project team with the appropriate stakeholders. Be sure to carefully select the team, bearing in mind communication skills, stature with peers, etc.
The next step is for a peer review. This means that a knowledgeable council reviews everything and must give approval prior to release of the content into production.
There are a variety of reasons that necessitate peer review prior to formal adoption.
Be aware of how people view their own jobs and the best way of accomplishing tasks. Individuals can inadvertently document what is known as an espoused theory. The organizational psychologist, Chris Argyris, has noted that people have a difficult time explaining what it is that they do because they tend to document their ideal method, or the method they would use without consideration of other issues in the workplace that could constrain the use of that method.
The scientist and philosopher, Michael Polanyi said people regularly do not document how they perform tasks because they literally know more than they can say. If that is true, then it pays to review the work and ensure that it is complete.
In our technical world, it is very simple to make a mistake through errors of interpretation. For example, I may think I know how to back up a system and try to document the process. However, the reality is that I do not know everything and another person may have additional valuable input.
By involving the team, people know what is going on and can give other perspectives. Due to diverse backgrounds and perspectives, often times better ideas arise during a peer review session because people build on one anothers concepts.
Once the Documentation is Done
After creating the documentation, it needs to be published. In this age, the best means is to use the Internet. Be sure to have the material organized and searchable. Be very certain to follow appropriate document management practices.
As policies and procedures are released, it is not enough just to publish them. Appropriate training must be instituted to be sure that all of the stakeholders are aware of the new/changed policies and procedures. It is very important that people be formally trained at the start and have refresher training at least once per year.
Without a doubt, the IT environment is constantly changing.
What is documented today will not be true forever and there must be means to audit and continuously improve the system. If the policies and procedures get out of synch with reality, then people will stop using them. There must be routine audits to ensure that documented practices are being followed and that they are still appropriate.