It's a good question and one you should be considering for your IT asset management (ITAM) program. Policy Management is one of the foundational key process areas (KPA) of an ITAM program so it deserves special consideration. It is an area the busy ITAM can be tempted lay aside as something to be considered later. Maybe you have some good policies already and have used them and they seem adequate, but are you constantly staying ahead? Are you keeping them fresh?
I admit in our case, we did not do a couple of things that I consider best practices that would have helped our cause tremendously. We never consciously pushed Policy Management in our program, although we did have some essential policies, they were not primarily driven by Asset Management, and they did not have the imprimatur of the CIO. In hindsight, those were mistakes.
If your IT organization does not have a formal policy management and/or policy process as part of governance, you're behind the curve. I consider these foundations of a solid IT organization. Coming from a resource and money challenged world, I understand these can seem luxury items. Ultimately, your organization will discover they are necessities, not luxuries, and you'll pay the price. I can say from experience, if you do not bring asset management to the forefront of your IT organization's and CIO's thinking, your ITAM program will never be considered strategic, and you'll always play second fiddle to others. You're minimizing your role in the organization, you're doing it voluntarily, and you risk the program being relegated to second citizen status, or disestablished. I've been there. In my defense, if your business is severely financially challenged, you may not be able to forestall this anyway, but, give yourself and your team a fighting chance. Apologies for the digression, I'll save this entire subject for another blog post.
Returning to Policy Management...
If you're just starting an ITAM program, you need to give policies some thought. If you have CIO level backing starting out, this is a good time to establish that C-level involvement, via policy. As I said, you will want that going forward. As your program matures, more and more of the policy level decisions and policies will be delegated to you and your team, but you want the people impacted by policies to always know that these are C-level policies and they will be treated as such. That means they will be enforced and updated. Get C-level signature on your policies. Have your CIO at least read them and agree with them. Make sure the CIO understands you intend to enforce policies uniformly (more on that later). Make sure they have the stomach to live up to these policies.
If your ITAM program is established, or semi-established, and you lack policies, you will need to lobby for C-level approval and signature on them. If you have an IT Governance organization, you will want and need to work with them to get your policies approved at the highest levels necessary. I highly recommend you do this. It is equally important for the C-level sponsor to understand that these policies exist and that ultimately, they are responsible for their education, enforcement, and management. Can I say that again? I can. Make sure your C-level understands they are responsible for these and you intend to enforce them. No matter who the offender may be.
A good essay on this is from the ITAM Review - "Why do IT Policies Fail," (The ITAM Review, Aug 6, 2010) - an important point in this article is that people look up to leadership, "Too often, managers also break the IT policies very publicly. Similar to parenting, executives and managers need to be on the same page by saying and doing the same thing." Be aware of this, and either enforce policies uniformly, or change them to become uniform. A policy that is routinely ignored is ineffective, useless, and sends a signal that all policies are to be ignored. Better to change the policy (for example, a policy mandating use of corporate standard laptops), than to undermine all you do because, say, a certain group of individuals are allowed to deviate from standards. When your Sales reps find out, for instance, that the VP of Sales has a Macbook Pro that is denied to them because they need to use the standard Windows laptop, it will not only make a fool of you (and others) it will create cynicism and anger amongst the workforce. Again, a future blog post.
What policies do I need?
The CITAM manual does a nice job laying out the policies that you may want, and some that you really must have. When I was asked this question, I honestly had not given this a lot of thought, so I was a bit flat footed, but immediately, these came to mind:
- Acceptable use policy
- Procurement policy
- Lost/stolen assets policy
Acceptable use dictates how software is used in your organization, this typically may delve into using in accordance with the agreed-to licensing restrictions (i.e. the EULA), while procurement is intended to set a policy that determines who can buy assets, and how they are purchased. Lost/stolen assets deals with the responsibilities of end users when assets are lost or stolen. In my experience, the first two were handled annually as part of the employee code of conduct training that employees acknowledged every year, but admittedly, the amount of training the employees got on these was essentially a one liner in the training, so not the kind of meat you might prefer. These kind of training items are more likely an attempt to get a signature on a variety of topics that get lumped into these annual events, so, you may want to be more proactive in getting these policies communicated.
You'll also note that even in just these three policies, there are more stakeholders than ITAM. For acceptable use, you are going to have Service Management and Application Managers heavily involved, and likely your Procurement teams. A procurement policy may (in our case it was) be owned by Procurement. It may be extremely detailed depending on the complexity of your Finance organization and how spending is approved. A lost/stolen assets policy is going to cut across multiple groups - you SM folks again, your help desk personnel, InfoSec, and perhaps even into Finance.
The point is policy can't be crafted in a vacuum, you are going to have multiple stakeholders, but since ITAM's are policy "experts" I highly encourage you to break out your manuals, develop templates, and give your compatriots the benefit of your knowledge and draft policies for them to review.
Other policies...
IAITAM recommends a variety of policies, but remember these are recommendations, your mileage may vary, so I'll just highlight a few that I think are important enough to be at the top of your list:
- Scope/Authority for Management of IT Assets - this is one I wish I had made NUMBER ONE on my list. With C-level signature on this, giving ITAM this responsibility, it is all you need to have when dealing with recalcitrant co-workers.
- Vendor Communications - dealing with how the business deals with vendors
- Response to Audit Requests - you should have an overarching Audit Plan, but a policy statement about how employees deal with Audit Requests would be highly beneficial.
There are many more recommended by IAITAM and other experts will even have more. Your specific policies will be something you need to consider, but start an outline and identify the policies, the stakeholders and put this high on your to-do list.
Action Items
- Develop templates or use existing ones
- Push to have a Policy Manual in your IT Department
- Publish them on your intranet, and have an ongoing communication plan. Normal users can likely survive with the annual refresher training described above, but you'll want to go into more depth with certain users (for example, some of these policies will impact IT personnel directly - if you have lunch and learns sessions, or dedicated IT Training time, consider using that). Keep these events relatively short to encourage participation.
- Have a plan for revisions to policies, include the revision cycle as part of the policy itself
- Have the appropriate people sign off on policies.
Your feedback...
What policies do you have? What do you find essential in your ITAM program? What advice do you have for other ITAM's out there struggling with Policy Management?
No comments:
Post a Comment