The Anatomy of an IT Policy

Patrick Hughes
Mar 31, 2021 1:00:00 PM

What are policies and why do we need them?

Every organization should have a set of policies in place. Policies are essentially the laws and regulations of an organization. They pertain to the health, safety, and accountability of employees and how the organization interacts with clients or customers. If your organization is required to comply with certain laws or regulations such as HIPAA, then your policy set must meet the minimum requirements set by HIPAA. This goes for general handling of sensitive data and any retention requirements set by these regulations. Whatever your policy states that you do, that must be followed. For example, if your policy states that you will retain data for six years to be in line with HIPAA requirements but then an outside auditor comes in and finds that data is being held for seven years, that would be a finding. Though you have technically met the HIPAA requirement of six, you are still not compliant with your own policy set. Whatever you say you do within your policies must be followed.

What goes into a policy?

There are many different elements to having a successful policy. I have seen a lot of bad policies, and several good policies throughout my career. All the good policies have similar elements. The first section of your policy should be the purpose, or statement. Why does this policy even exist? This section should be short and to the point; it will be a brief description of the content to follow. After your purpose section comes the scope. This will outline what areas and people within the organization will be affected by this policy. It is more descriptive than the purpose section above. Now that the purpose and scope are defined, individuals will have a clear idea of what to expect when reading through the policy. The next section will be the actual policy. This is where you will be detailed and descriptive, outlining exactly what the policy is that you want to put into place. Remember, whatever you say here MUST be followed. Following the actual policy content will be the roles/responsibilities section. Within this section, you will outline who is responsible for upholding certain aspects of the policy. Individuals need to be aware of their role or responsibility. Next, we have the enforcement section. This will outline sanctions for not complying with this policy. This section must be clear and concise. Following the enforcement section is the reference section. If this policy maps to any specific frameworks or regulations, those can be included in the reference section. And finally, we have the revision history and executive sign off sections at the bottom. Anytime the policy is reviewed or updated, it should be listed and signed off by the approver. This would be at least annually or after any major changes to the environment.

Implementing and maintaining the policy

So now you have this great policy with all the appropriate sections, but you need to get it successfully rolled out and implemented. Distribute the policy to the appropriate parties and make sure they fully understand the policy. If they have any questions, they should be cleared up at this time. Once they fully understand the policy, employees should be asked to acknowledge that they understand it via a sign off. Going forward, anytime something changes in the environment or processes change, the policy should be updated to reflect those changes.

Are your organization’s IT security and compliance policies in need of creation or updating? Compass IT Compliance has spent the past decade reviewing policies and mapping them to dozens of frameworks and regulations. Contact us today to learn more and to discuss your unique situation!

You May Also Like

These Stories on HIPAA

Subscribe by Email

No Comments Yet

Let us know what you think