• Search

• Categories

  • Change Management
  • Company News
  • Industry Observations
  • Information Security
  • ITAM (Asset Management)
  • ITIL and Service Management
  • RFID
  • Software License Compliance

• Recently Written

  • Managing mobile assets – making it part of your ITAM program
  • Keep an Eye on the Hardware Lifecycle
  • Managing mobile assets – bills
  • Managing mobile devices – email addresses
  • Managing mobile assets - contracts
  • Managing mobile devices - applications
  • Managing mobile assets - SIM cards
  • Managing mobile assets – risks
  • Retiring software assets
  • Quick tips on keeping software licenses organized & updated

• Blogroll

  • Miro Consulting

• Subscription

  •  Blog Articles
  •  Subscribe by Email
  • 

• Archives

  • July 2010
  • June 2010
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • February 2008
  • January 2008
  • December 2007

• Members

  • Log in

Policies are often ineffective, often not understood, poorly managed, and represent more of a token gesture than a comprehensive and sustainable approach to risk management. Why are they so important? Policies not only serve as legal documents that protect the enterprise from liability, but they have also been used in court against the company if written, but not communicated or enforced equally. If that isn’t a wakeup call! There is often limited process in place to validate the effectiveness of business policies, a general lack of communication and little policy enforcement that leads to failures - one example is a company simply posting their policy on an intranet and hoping that employees both read and understand them.

In order for a policy to be effective, you need to be sure that employees understand the policies, and more importantly, are clear on the consequences of non-compliance. We also suggest that you have all of your employees sign an agreement stating that they will abide by them. Here are a few tips for effective policy management:

• Change your policies with your business- companies are constantly changing, don’t forget to update your policies to reflect that change
• Follow-through - with consequences in place, don’t let them slide. One employee getting away with non-compliance will diminish your policies credibility.
• Make sure your policy is clearly defined, understandable, and addresses what and why

We have talked briefly about implementing a governance risk and compliance (GRC) framework. Now, we need to address four important practices, or perspectives, that facilitate convergence when taking on any GRC activity.

1.       Get Senior level buy-in - the first step once you have a clearly defined plan is to get support from the senior staff. Once you have their support, and they are clear on the objectives, there will be fewer holdups in the project as they champion the effort.

2.       Don’t rely on the data presented - many organizations put too much focus on the results of GRC experts from audit, risk management, compliance or IT to assess and report on risk and control.  These often lack objectivity and shouldn’t be your focus. Audits and inspection are part of the process, but cannot be relied on as the basis of the framework.

3.       Standardize - although we have said that technology can and should be used to achieve GRC, try to avoid using multiple systems from multiple vendors. Get one solution that will meet all of your needs, it will avoid conflicts between systems.

4.       Keep your eye on the big picture - working in Silos can kill GRC efforts.  With so many different regulating bodies in existence, it is important to recognize synergies between them as you create your GRC framework. Try to avoid focusing on just one set of objectives.  We suggest implementing an internal competency center to create role clarity, eliminate redundant tasks, and enhance collaboration between the GRC leadership team and process owners.

Data protection is a key IT function, and most IT managers know that you cannot properly protect data if you don’t know what it is worth. In order to determine its value, you must know where it is, how it is used, and where and when to integrate and federate it. In order to evaluate data from a business perspective you must have an oversight level IT perspective.

Data governance is an essential ingredient in the IT process. Once you can determine the value of your data, you must then calculate the probability of risk in a business process. Once the probability of risk is defined, a proper determination can be made as to how much you should spend to protect and manage your data.

Just like any IT-related project, in order to implement best practices and get the most out of your investment, a clear “blue print” for the future needs of the company should be created, and re-visited, as often as possible to determine changing needs as far in advance as possible - saving time and money.

← Previous Page — Next Page →