IT Governance Policies & Procedures

by Michael Wallace and Larry Webber

The role of IT management is changing even more quickly than information tech-

nology itself. IT Governance Policies & Procedures, 2021 Edition, is an updated

guide and decision-making reference that can help you to devise an information

systems policy and procedure program uniquely tailored to the needs of your

organization. This valuable resource not only provides extensive sample policies,

but also gives the information you need to develop useful and effective policies for

your unique environment. For fingertip access to the information you need on IT

governance, policy and planning, documentation, systems analysis and design, and

muchmore, thematerials in this ready-reference deskmanual can be used by you or

your staff as models or templates to create similar documents for your own

organization.

Highlights of the 2021 EditionPrepared by John F. Buckley IV

The 2021 Edition brings you the following changes:

� The chapter on Information Technology Infrastructure Library (ITIL) has

been thoroughly revised to incorporate the recent launch of ITIL version 4.

(See Chapter 4.)

� The sections on causes of employee burnout, as well as the potential pitfalls

of poor recruiting practices, have been expanded. (See §§ 11.02[A] and

11.08[B].)

� New material has been added to address the increased use of video confer-

encing for virtual workers, as well as the need to safeguard personal smart-

phones that store company information. (See §§ 13.03[C] and 13.03[D].)

� Tips for developing a mobile device policy have been added. (See § 30.04[C].)

� Additional pitfalls associated with end-user computing have been added.

(See § 31.02[E].)

� A new subsection regarding data storage guidelines for documents subject to

data retention laws has been added. (See § 34.07[C].)

� Additional tips regarding data management have been added. (See § 39.03.)

� Appendix A has been updated to include data breach notification laws for

Puerto Rico and the Virgin Islands, and also to reflect changes to Vermont’s

data breach notification laws.

� Data from recent surveys and reports has been added and updated in the

Comment sections throughout.

In addition, exhibits, sample policies, and worksheets are included in each chapter,

which can also be accessed at WoltersKluwerLR.com/ITgovAppendices. You can

copy these exhibits, sample policies, and worksheets and use them as a starting

point for developing your own resources by making the necessary changes.

Further, the Index has been updated to reflect all of the changes to the text.

11/20

For questions concerning this product, billing, or other customer service matters,

contact our Customer Service Department at customer.service@wolterskluwer.com

or 1-800-234-1660.

To order additional products, visit www.WoltersKluwerLR.com or call 1-800-

638-8437.

ITGOVERNANCEPOLICIES& PROCEDURES

Michael Wallace ¤ Larry Webber

2021 EDITION

Prepared by John F. Buckley IV

This publication is designed to provide accurate and authoritative information in regard to the subject matter

covered. It is sold with the understanding that the publisher and the author(s) are not engaged in rendering legal,

accounting, or other professional services. If legal advice or other professional assistance is required, the services

of a competent professional should be sought.

—From a Declaration of Principles jointly adopted by

a Committee of the American Bar Association and

a Committee of Publishers and Associations

Copyright � 2021 CCH Incorporated. All Rights Reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, including electronic,

mechanical, photocopying, recording, or utilized by any information storage or retrieval system, without written

permission from the publisher. For information about permissions or to request permissions online, visit us at

www.WoltersKluwerLR.com/policies/permissions-reprints-and-licensing, or email us at LRUSpermissions@

wolterskluwer.com.

Published by Wolters Kluwer in New York.

Wolters Kluwer Legal & Regulatory U.S. serves customers worldwide with CCH, Aspen Publishers and Kluwer

Law International products.

Printed in the United States of America

ISBN 978-1-5438-1855-0

1 2 3 4 5 6 7 8 9 0

About Wolters Kluwer Legal &Regulatory U.S.

Wolters Kluwer Legal & Regulatory U.S. delivers expert content and solutions in

the areas of law, corporate compliance, health compliance, reimbursement, and

legal education. Its practical solutions help customers successfully navigate the

demands of a changing environment to drive their daily activities, enhance decision

quality and inspire confident outcomes.

Serving customers worldwide, its legal and regulatory portfolio includes products

under the Aspen Publishers, CCH Incorporated, Kluwer Law International,

ftwilliam.com and MediRegs names. They are regarded as exceptional and trusted

resources for general legal and practice-specific knowledge, compliance and risk

management, dynamic workflow solutions, and expert commentary.

WOLTERS KLUWER SUPPLEMENT NOTICE

This product is updated on a periodic basis with supplements and/or new editions to

reflect important changes in the subject matter.

If you would like information about enrolling this product in the update service, or

wish to receive updates billed separately with a 30-day examination review, please

contact our Customer Service Department at 1-800-234-1660 or email us at:

customer.service@wolterskluwer.com. You can also contact us at:

Wolters KluwerDistribution Center7201 McKinney CircleFrederick, MD 21704

Important Contact Information

� To order any title, go to www.WoltersKluwerLR.com or call

1-800-638-8437.

� To reinstate your manual update service, call 1-800-638-8437.

� To contact Customer Service, e-mail customer.service@wolterskluwer

.com, call 1-800-234-1660, fax 1-800-901-9075, ormail correspondence

to: Order Department—Wolters Kluwer, PO Box 990, Frederick, MD

21705.

� To review your account history or pay an invoice online, visit

www.WoltersKluwerLR.com/payinvoices.

ABOUT THE AUTHORS

Michael Wallace has more than 30 years of experience in the informationsystems field. He began his career as a mainframe operator for Super FoodServices and then moved to a programming position at Reynolds & Reynolds,developing financial applications for automotive dealers.

He became a consultant after graduating, magna cum laude, from WrightState University (Dayton, Ohio), with a Bachelor of Science in ManagementScience. For eight years, he was the president of Q Consulting, a custom appli-cation development firm. Mr. Wallace has been an application developer, abusiness analyst, and a technical and business consultant, and has assisted theState of Ohio in developing statewide information technology (IT) policies.

Mr. Wallace has served on the board of directors of various IT user organi-zations and is active in the local technical community. He is the past presidentof the Columbus Chapter of the International Association of Microsoft Certi-fied Partners, and is a Competent Toastmaster and Competent Leader withToastmasters International. Mr. Wallace graduated from the Executive Masterof Business Administration program at the Fisher College of Business at TheOhio State University.

After working as a practice manager and director for the last few years,Mr. Wallace is now an Agile Coach at Cardinal Solutions Group, helpingtheir clients build high performance software development teams. He hasalso taught in the graduate programs at The Ohio State University andDeVry University Keller Graduate School of Management, and has publishedseveral articles and books on business and technology topics.

Mr. Wallace can be reached by email at michaelw269@gmail.com, on hisblog at businesstechbooks.wordpress.com, or on Twitter@MichaelWallace.

Larry Webber has almost 40 years of experience in the information servicesfield. He began his career in the U.S. Marine Corps as a digital network repair-man and then moved to a position as a Common Business Oriented Language

v

(COBOL) programmer supporting the Marine Corps’ logistics traffic manage-ment systems.

After his release from active service, he worked in Kansas City as a COBOLprogrammer, systems analyst, and ITmanager atWaddell &Reed, TemperatureIndustries, United Telecommunications, and the law offices of Shook, Hardy&Bacon.

For the next 12 years, Mr. Webber held various systems engineering anddata processing management positions with International Truck and Bus inSpringfield, Ohio, where, among other achievements, he authored an exten-sive disaster recovery plan for several companies. He is currently a senior pro-ject manager in the Columbus, Ohio area.

Mr. Webber has an Associate in Science degree from Darton College inAlbany, Georgia, in Data Processing; a Bachelor of Science in Business Admin-istration, a Master’s in Business Administration from Rockhurst College inKansas City, Missouri; and an Associate in Science degree in Industrial Engi-neering from Sinclair Community College in Dayton, Ohio. He has also com-pleted a Master of Project Management degree fromWest Carolina University.

Mr. Webber is retired from the U.S. Army Reserve as a first sergeant in theInfantry. He is a certified project management professional from the ProjectManagement Institute and is certified in Production and Inventory Manage-ment by the American Production and Inventory Control Society. He is alsocertified as amaster of business continuity planning byDisaster Recovery Insti-tute International, a Six Sigma Black Belt, and an Information TechnologyInfrastructure Library Service Manager. Mr. Webber is a visiting professor atDeVry University Keller Graduate School of Management, and has publishedseveral articles on disaster recovery topics. His publishedworks include disasterrecovery/business continuity, quality control, project management, and veter-an’s benefits.

Mr. Webber can be reached by email at ljwljw88@gmail.com.Your comments and suggestions for improving this book are welcome.

ABOUT THE AUTHORS

vi

CONTENTSA complete table of contents for each chapter is included at

the beginning of the chapter.

PrefaceAcknowledgments

Part I OPERATING AND ORGANIZING THE BUSINESS

1 IT GOVERNANCE: ALIGNING IT WITH THE BUSINESS§1.01 Overview§1.02 Legal Issues§ 1.03 IT Governance Models§ 1.04 IT Strategic Planning Process

2 BUSINESS PROCESS MANAGEMENT: DEFINING YOUR BUSINESS

§2.01 Overview§2.02 Building Your BPM Program§2.03 Process Analysis Tools§ 2.04 Simplifying a Process

3 IT GOVERNANCE METRICS: MEASURING YOUR SUCCESS

§3.01 Overview§3.02 Basics of IT Governance Metrics§ 3.03 Data Collection§3.04 Analyzing§3.05 Reporting§3.06 Managing a Governance Metrics Program

4 ITIL: MEETING THE NEEDS OF BUSINESS

§4.01 Overview§4.02 ITIL’s Framework§4.03 ITIL Service Operation§4.04 ITIL Service Delivery

vii

§ 4.05 ITIL Certification§ 4.06 ITIL as an Official Standard§ 4.07 Implementing ITIL

5 IT QUALITY MANAGEMENT: THE KEY TO PREDICTABLE RESULTS

§ 5.01 Overview§5.02 Start with a Quality Management Plan§ 5.03 Quality Assurance or Quality Control§ 5.04 Continuous Improvement§ 5.05 Major Quality Techniques

6 POLICIES AND PROCEDURES: SETTING THE FRAMEWORK

§ 6.01 Overview§6.02 Organizing a Manual§ 6.03 Setting the Standards for Responsibilities§ 6.04 IT Policy Approval Process

7 BUSINESS IMPACT ANALYSIS: MEASURING RISK

§ 7.01 Overview§7.02 Managing a Business Impact Analysis (BIA)§ 7.03 BIA Data Collection Process§ 7.04 Crunching the Data§ 7.05 BIA Results and the IT Department§ 7.06 Updates

8 BUSINESS CONTINUITY PLANNING: STAYING IN BUSINESS

§ 8.01 Overview§8.02 Prepare to Plan§ 8.03 Business Continuity Planning Basics§ 8.04 Planning—The Next Step§ 8.05 Writing a Plan§ 8.06 Third-Party Plan Certification§ 8.07 Sources of Additional Information

9 IT AUDITS: STAYING IN COMPLIANCE

§ 9.01 Overview§9.02 IT Management Audit§ 9.03 IT Legal Mandates and Records Retention§ 9.04 Resource Management§ 9.05 Programming Activities Control§ 9.06 Computer Operations§ 9.07 Data Networks§ 9.08 Disaster Recovery/Contingency Planning§ 9.09 Workstation Audit Issues§ 9.10 Strategies for Acing an Audit

10 RISK MANAGEMENT: MANAGING THE UNEXPECTED

§ 10.01 Overview§10.02 Risk Management Is a Process

CONTENTS

viii

§10.03 Why Risk Management Fails§ 10.04 Business Continuity Planning as a Mitigation Technique§10.05 Implementing IT Risk Management§ 10.06 Process Resilience Through Risk Management

Part II OVERSEEING AND DIRECTING PROJECTS AND PEOPLE

11 HUMAN RESOURCES: IT’S POOREST MANAGED ASSET

§11.01 Overview§11.02 Recruiting, Reassignments, and Promotions§ 11.03 New Employee Orientation§11.04 Performance Review§11.05 Employee Development§ 11.06 Managing IT Training§11.07 Employee Communications§ 11.08 Employee Burnout§ 11.09 IT Employee Productivity§ 11.10 Nontraditional Working Arrangements

12 IT STAFFING: A ZERO-BASED APPROACH

§12.01 Overview§12.02 How Many People Do You Need?§12.03 What to Outsource?§ 12.04 Staffing Minimization Techniques

13 VIRTUAL TEAMS: REMOTE CONTROL MANAGEMENT

§13.01 Overview§13.02 The Virtual Company§13.03 Becoming a Virtual Worker§ 13.04 Virtual Workforce Strategy§13.05 Leading a Virtual Team

14 REQUIREMENTS ANALYSIS: PLANNING FOR SUCCESS

§14.01 Overview§14.02 Stakeholders Hold the Answers§ 14.03 Describing a Requirement§ 14.04 Assembling Specifications§ 14.05 Stakeholders Interviews§14.06 Validating Project Requirements§ 14.07 IT Special Teams Round Out the Specs§ 14.08 Modeling Your Requirements

15 PROJECT MANAGEMENT: GETTING IT OUT ON TIME

§15.01 Overview§15.02 Project Management Fundamentals§ 15.03 Important Elements of the Project Plan§15.04 Executing the Project§ 15.05 Project Closeout

CONTENTS

ix

§ 15.06 Rolling Wave Management§ 15.07 Project Management Pitfalls

16 PROJECT MANAGEMENT OFFICE: OPTIMIZINGTHE ORGANIZATION

§ 16.01 Overview§16.02 Project Management Office Responsibilities§ 16.03 Managing the Project Portfolio§ 16.04 Ensuring Project Management Quality

17 PROJECT PHASE REVIEWS: KEEPING EVERYTHING ON TRACK

§ 17.01 Overview§17.02 Phase I—Business Case Phase Review§17.03 Phase II—Planning Phase Review§17.04 Phase III—Execution Phase Review§17.05 Phase IV—Project Implementation Phase Review§17.06 Phase V—Post Implementation Phase Review

18 SOFTWARE DEVELOPMENT: SOLID PRACTICES

§ 18.01 Overview§18.02 Software Development Process§ 18.03 Programming Methodologies§ 18.04 Programming Conventions§ 18.05 Software Acquisition§ 18.06 Program Testing§ 18.07 Software Deployment§ 18.08 Program Maintenance

19 CUSTOMER SERVICE: MEETING EXPECTATIONS

§ 19.01 Overview§19.02 What Is This ‘‘Thing’’ Called Customer Service?§ 19.03 Components of IT Service Staffing§ 19.04 Metrics—IT’s Measures of Success§ 19.05 Why Use a Customer Survey?§ 19.06 Translating Requirements into a Staff Level

20 SERVICE LEVEL AGREEMENTS: MANAGING EXPECTATIONS

§ 20.01 Overview§20.02 Types of SLA§20.03 Dimensions of an SLA§20.04 Making Your SLA Work for You

21 CHANGE MANAGEMENT: KEEPING EVERYTHING UP TO DATE

§ 21.01 Overview§21.02 Change Management Policy§ 21.03 Patch Management Policy§ 21.04 Patch Management Tools

CONTENTS

x

22 THE INTERNET: MAKING IT PRODUCTIVE

§22.01 Overview§22.02 Methods of Internet Access§ 22.03 Internet Security§ 22.04 Internet Usage§22.05 Email Usage§22.06 Owning and Operating a Web Site: Liability Concerns§ 22.07 Acceptable Use Agreement

23 WEB 2.0: SUPPORTING COLLABORATION

§23.01 Overview§23.02 Collaborating Using Web 2.0§ 23.03 Social Networking§23.04 Other Collaboration Tools

24 AGILE PROJECT MANAGEMENT: SOFTWAREAT THE SPEED OF BUSINESS

§24.01 Overview§24.02 Cultivating an Agile Culture§ 24.03 Agile Stories§ 24.04 Agile Metrics§ 24.05 The Agile Development Cycle§ 24.06 Agile Frameworks§ 24.07 Scaling Agile

25 DEVOPS: APPLICATIONS FROM START TO FINISH

§25.01 Overview§25.02 DevOps Principles§ 25.03 DevOps Practices§ 25.04 DevOps Tools

26 VENDORS: GETTING THE GOODS

§26.01 Overview§26.02 Vendor Management§ 26.03 Play by the Rules§ 26.04 Consulting and Temporary Personnel Services§ 26.05 Requests for Proposal

Part III MANAGING AND OPTIMIZING INFRASTRUCTURE

27 SERVICE DESK SUPPORT: HANDLING DAY-TO-DAY HASSLES

§27.01 Overview§27.02 Role of the Service Desk§27.03 Establishing a Service Desk§27.04 The Proactive Service Desk§27.05 The Service Desk in a Disaster

CONTENTS

xi

28 MANAGING IT ASSETS: IDENTIFY WHAT YOU HAVE

§ 28.01 Overview§28.02 Lay the Groundwork§ 28.03 Conducting the Inventory§ 28.04 Software Asset Management§ 28.05 Software Assets

29 MANAGING INNOVATION: CHOOSING THE RIGHT TOOL

§ 29.01 Overview§29.02 Set the Foundation—An Asset Inventory§ 29.03 Creating an Innovation Strategy§ 29.04 Fostering a Climate for IT Innovation§ 29.05 Proposing New Items§ 29.06 Pitfalls

30 PERSONAL COMPUTERS: MANAGING USER DEVICES

§ 30.01 Overview§30.02 PC Support Manager§ 30.03 Acquisition Procedures§ 30.04 Operations Procedures§ 30.05 End-User Technical Support

31 END-USER SYSTEMS: DO-IT-YOURSELF COMPUTING

§ 31.01 Overview§31.02 The Problems with End-User Computing§ 31.03 Personal Computing vs. Corporate Computing§ 31.04 Managing a Proactive End-User Computing Program§31.05 End-User Policies

32 NETWORK MANAGEMENT

§ 32.01 Overview§32.02 Data Network§ 32.03 Digital Telephone§ 32.04 Assessing Network Risks§ 32.05 Network Security§ 32.06 Controlling Network Access

33 INFORMATION SECURITY: ALL OF THE REST

§ 33.01 Overview§33.02 Build/Enhance an Information Security Program§33.03 Identify the Critical Assets§ 33.04 How Much Risk Is Acceptable§ 33.05 Apply Security Everywhere§ 33.06 Incident Response Planning§ 33.07 People Are the Problem§33.08 Raise the Defenses§ 33.09 Certifications

CONTENTS

xii

34 DATA BACKUPS: THE KEY TO A PROMPT RECOVERY

§34.01 Overview§34.02 Data Recovery§ 34.03 Data Backups—Major Responsibilities§ 34.04 Designing for Backups§ 34.05 Media Handling, Transportation, and Storage§ 34.06 Workstation, Notebook PC, and

Data Collection Station Backups§ 34.07 Data Retention and Legal Mandates

35 OPEN SOURCE: MANAGING ISSUES

§35.01 Overview§35.02 Consider All of the Costs§ 35.03 Licensing§35.04 Server Systems§35.05 Applications Software§ 35.06 Manage the Process

36 VIRTUALIZATION: OPTIMIZING RESOURCES

§36.01 Overview§36.02 Server Virtualization§36.03 Desktop Virtualization§36.04 Application Virtualization§36.05 Storage Virtualization

37 CLOUD COMPUTING: INFRASTRUCTURE ALTERNATIVES

§37.01 Overview§37.02 Cloud Computing§37.03 Disaster Recovery as a Service (DRaaS)§ 37.04 Cloud Computing Vendor Selection Process§ 37.05 Cloud Computing Vendor Management§ 37.06 Fog Computing: The Edge of the Internet

Part IV BUILDING AND SHARING KNOWLEDGE

38 DOCUMENTATION: GETTING EVERYONE ON THE SAME PAGE

§38.01 Overview§38.02 Developing a Reference Documentation Policy§ 38.03 Document Formats§ 38.04 Document Management§ 38.05 System Reference Instructions§ 38.06 Project Documentation§38.07 Systems Analysis Documentation§38.08 Flowcharting Standards

CONTENTS

xiii

39 DATA MANAGEMENT: TAKING CARE OFCORPORATE INFORMATION

§ 39.01 Overview§39.02 Issues Relating to Data§ 39.03 Access to Data§ 39.04 Protecting Employee Data

40 BIG DATA: CAPTURING ALL OF YOUR DATA

§ 40.01 Overview§40.02 Data Governance Strategy§ 40.03 Business Intelligence§ 40.04 Big Data

41 DOCUMENT MANAGEMENT: CAPTURINGCORPORATE KNOWLEDGE

§ 41.01 Overview§41.02 Capture and Storage§ 41.03 Retrieval and Collaboration§ 41.04 Printing and Archiving§ 41.05 Designing a Solution

42 IT TRAINING: BUILDING THE RIGHT SKILLS

§ 42.01 Overview§42.02 Training for Immediate Requirements§ 42.03 Training the Crew§42.04 Managing Training

43 PROTECTING THE COMPANY’S INTELLECTUAL PROPERTY

§ 43.01 Overview§43.02 First Address the Basics§ 43.03 Addressing a Security Breach§ 43.04 Employee Education§ 43.05 Evaluating Technical Solutions

44 GOVERNING THE INTERNET OF THINGS (IoT)

§ 44.01 Overview§44.02 The Challenges of IoT§ 44.03 Raise Your Defenses

Appendix A DATA BREACH NOTIFICATION LAWS BY STATE

Glossary of IT TermsIndex

xiv

CONTENTS

Exhibits, policies, and worksheets included in IT Governance Policies &Procedures, 2021 Edition, can be accessed at WoltersKluwerLR.com/ITgovAppendices.

Exhibit/Policy/Worksheet Name

Chapter 1POLICY ITP-01-1 Establishment of IT Governance Model

Chapter 2POLICY ITP-02-1 IT Process Management Procedures

Chapter 3WORKSHEET 03-1 IT Metric Collection Approval Form

Chapter 4POLICY ITP-04-1 Configuration Management

Database PolicyPOLICY ITP-04-2 ITIL Training Program

Chapter 5POLICY ITP-05-1 IT Quality Program

Chapter 6EXHIBIT 6-2 Sample Policy FormatEXHIBIT 6-3 Policy Suggestion FormPOLICY ITP-06-1 Establishment of Policy AuthorityPOLICY ITP-06-2 Policy Approval Process

Chapter 7POLICY ITP-07-1 Business Impact Analysis PolicyWORKSHEET 07-1 Business Impact Analysis Questionnaire

Chapter 8POLICY ITP-08-1 Business Continuity Planning PolicyWORKSHEET 08-1 Risk Assessment FormWORKSHEET 08-2 Critical Vendor List

Chapter 9POLICY ITP-09-1 IT Audit Policy

Chapter 10POLICY ITP-10-1 IT Risk Management PolicyWORKSHEET 10-1 Risk Management Plan FormWORKSHEET 10-2 Failure Mode and Effects Analysis

CONTENTS

xv

Chapter 11POLICY ITP-11-1 Recruiting Bonus PolicyPOLICY ITP-11-2 New Employee Mentoring PolicyPOLICY ITP-11-3 Peer Performance Review PolicyPOLICY ITP-11-4 IT Staff Flextime PolicyPOLICY ITP-11-5 IT Staff Rehire PolicyWORKSHEET 11-1 IT Candidate Interview Rating FormWORKSHEET 11-2 IT Staff Peer Performance FormWORKSHEET 11-3 Employee Termination ChecklistWORKSHEET 11-4 Employee/Process Matrix

Chapter 12WORKSHEET 12-1 Staffing Management PlanPOLICY ITP-12-1 Zero-Based IT Staffing Policy

Chapter 13POLICY ITP-13-1 Remote Access PolicyPOLICY ITP-13-2 Virtual Workforce PolicyWORKSHEET 13-1 Virtual Team Checklist

Chapter 14POLICY ITP-14-1 Requirements Gathering PolicyPOLICY ITP-14-2 Prototyping IT Projects PolicyWORKSHEET 14-1 Requirements Traceability Matrix

Chapter 15POLICY ITP-15-1 Project Management PolicyWORKSHEET 15-1 Project Risk Management PlanWORKSHEET 15-2 Stakeholder Analysis FormWORKSHEET 15-3 Stakeholder Reporting Matrix

Chapter 16EXHIBIT 16-1 Portfolio Bubble ChartPOLICY ITP-16-1 Project Management Office PolicyPOLICY ITP-16-2 Project Portfolio Management PolicyPOLICY ITP-16-3 Project Quality Review PolicyWORKSHEET 16-1 Project Portfolio Ranking

Chapter 17POLICY ITP-17-1 Project Phase Reviews PolicyPOLICY ITP-17-2 IT Project Records Archive Policy

Chapter 18EXHIBIT 18-1 Sample Decision TableEXHIBIT 18-2 Sample Decision TablePOLICY ITP-18-1 Ownership of Computer Software PolicyPOLICY ITP-18-2 Acquisition of Computer Software PolicyPOLICY ITP-18-3 Software Deployment Policy

CONTENTS

xvi

WORKSHEET 18-1 Software Evaluation WorksheetWORKSHEET 18-2 Decision Table WorksheetWORKSHEET 18-3 Software Deployment Checklist

Chapter 19POLICY ITP-19-1 IT Staffing Metrics Collection PolicyPOLICY ITP-19-2 IT Staffing Levels PolicyWORKSHEET 19-1 Service Level SurveyWORKSHEET 19-2 Hours of Support Matrix

Chapter 20POLICY ITP-20-1 IT Service Level Agreement Policy

Chapter 21EXHIBIT 21-1 Capability Maturity Model for Patch

ManagementPOLICY ITP-21-1 Change Advisory Board PolicyPOLICY ITP-21-2 Change Management PolicyPOLICY ITP-21-3 Patch Testing Policy

Chapter 22POLICY ITP-22-1 Internet Connection PolicyPOLICY ITP-22-2 Wi-Fi Hotspot Internet Access PolicyPOLICY ITP-22-3 Firewall Usage PolicyPOLICY ITP-22-4 Internet Acceptable Use PolicyPOLICY ITP-22-5 Email Usage and Retention PolicyPOLICY ITP-22-6 Email Marketing PolicyPOLICY ITP-22-7 Email Archiving PolicyWORKSHEET 22-1 Email/Internet User Agreement

Chapter 23POLICY ITP-23-1 Collaboration PolicyPOLICY ITP-23-2 Instant Messaging PolicyPOLICY ITP-23-3 Blogging PolicyPOLICY ITP-23-4 Social Media Usage Policy

Chapter 24EXHIBIT 24-1 Traditional vs. Agile Project ManagementEXHIBIT 24-2 Iteration BurndownEXHIBIT 24-3 Release BurndownPOLICY ITP-24-1 Agile Project Management Policy

Chapter 25POLICY ITP-25-1 DevOps Policy

xvii

CONTENTS

Chapter 26POLICY ITP-26-1 Vendor Management PolicyPOLICY ITP-26-2 Ownership of Intellectual Property PolicyWORKSHEET 26-1 Mutual Non-Disclosure AgreementWORKSHEET 26-2 Bidder Analysis

Chapter 27EXHIBIT 27-1 Critical Process Impact MatrixPOLICY ITP-27-1 ITIL Service Desk Policy

Chapter 28POLICY ITP-28-1 Asset Manager Assignment PolicyPOLICY ITP-28-2 IT Hardware Asset Management PolicyPOLICY ITP-28-3 Install/Move/Add/Change PolicyPOLICY ITP-28-4 Software Asset Management PolicyWORKSHEET 28-1 Install, Move, Add, Change (IMAC) Form

Chapter 29WORKSHEET 29-1 New Technology Evaluation Request

Chapter 30POLICY ITP-30-1 Hardware Loan PolicyPOLICY ITP-30-2 Mobile Device Acquisition ProceduresPOLICY ITP-30-3 Acceptable Use PolicyPOLICY ITP-30-4 Bring Your Own Device (BYOD) PolicyPOLICY ITP-30-5 Bring Your Own Network (BYON) PolicyPOLICY ITP-30-6 Mobile Device Usage PolicyPOLICY ITP-30-7 Flash Drive Usage PolicyPOLICY ITP-30-8 Computer Equipment Disposal Policy

Chapter 31POLICY ITP-31-1 End-User Computing PolicyPOLICY ITP-31-2 App Store Application PolicyPOLICY ITP-31-3 End-User Systems Documentation Policy

Chapter 32POLICY ITP-32-1 Wireless Security PolicyPOLICY ITP-32-2 Cable Management PolicyPOLICY ITP-32-3 Network Security PolicyPOLICY ITP-32-4 User Authentication Policy

Chapter 33POLICY ITP-33-1 Information Security—Security Testing

of All Software PolicyPOLICY ITP-33-2 Information Security Data Protection

PolicyPOLICY ITP-33-3 Information Security Incident Response

Policy

xviii

CONTENTS

POLICY ITP-33-4 Information Security Social EngineeringResistance Policy

WORKSHEET 33-1 Security Audit Checklists

Chapter 34POLICY ITP-34-1 Data Backups and Retention Policy

Chapter 35POLICY ITP-35-1 Use of Open Source Software on

Company EquipmentPOLICY ITP-35-2 Open Source Review Board

Chapter 36POLICY ITP-36-1 Server Virtualization PolicyPOLICY ITP-36-2 Desktop Virtualization PolicyPOLICY ITP-36-3 Application Virtualization PolicyPOLICY ITP-36-4 Storage Virtualization Policy

Chapter 37POLICY ITP-37-1 Acceptable Cloud Services PolicyPOLICY ITP-37-2 Cloud Computing Vendor

Management Policy

Chapter 38EXHIBIT 38-1 System Document FormatEXHIBIT 38-2 End-User Document FormatPOLICY ITP-38-1 IT Documentation PolicyPOLICY ITP-38-2 IT Documentation Management PolicyPOLICY ITP-38-3 Project Documentation PolicyWORKSHEET 38-1 Project Documentation ChecklistWORKSHEET 38-2 Revision Sheet

Chapter 39POLICY ITP-39-1 System of Record PolicyPOLICY ITP-39-2 Protected Health Information PolicyPOLICY ITP-39-3 Employee Data Management Policy

Chapter 40POLICY ITP-40-1 Data Governance Policy

Chapter 41POLICY ITP-41-1 Document Retention Policy

Chapter 42POLICY ITP-42-1 Training Effectiveness

Measurement PolicyWORKSHEET 42-1 Skills Assessment FormWORKSHEET 42-2 Cross-Training Matrix

xix

CONTENTS

Chapter 43POLICY ITP-43-1 Company Confidential Materials

Classification and Handling Policy

Chapter 44EXHIBIT 44-1 IoT ComponentsEXHIBIT 44-2 Levels of IoT SecurityPOLICY ITP-44-1 Use of IoT Technology in Products

CONTENTS

xx

PREFACE

While many of the basic principles of superior information technology (IT)operations have not changed over the years—we still have to do backups, ser-vice business users, and so on—the Internet and an explosion of connectivityoptions have added new challenges to running an effective IT organization.Writing IT Governance Policies & Procedures has been a challenge because of theexplosion of IT. By the time you finish this edition, technology changes willhave already been developed for the next edition.

WHAT THIS MANUAL WILL DO FOR YOU

No two information systems operations are alike, but many do share somebasic elements, such as hardware, software, and personnel. This manualdefines the common threads that link all information systems operations,providing for a variety of situations—not as a one-size-fits-all model but,instead, as an updated guide and decision-making reference that can helpyou devise an information systems policy and procedure program uniquelytailored to the needs of your organization. Rather than simply providingsample policies that will not encompass what is unique to your organization,thismanual gives you the information you need to develop useful and effectivepolicies for your unique environment.

ORGANIZED FOR QUICK ACCESS

‘‘Simplicity is the ultimate design.’’ Often, amultitude of forms are included inpolicies and procedures handbooks. This manual, however, provides aminimum of forms with the understanding that a well-written memo oremail message can take the place of a form and reduce the complexity of anIT operation. As an operation grows in complexity, the challenge to keep itrunning smoothly grows, and thus the need for a formal system of operationsbecomes a necessity. IT operations that have a formal systems and proceduresmanual in place are more efficient.

xxi

ADDED STRATEGIC VALUE

The role of IT management is changing even more quickly than IT itself.Today, the IT operation is no longer found in some obscure corner of thecorporate organization. Instead, it plays an interactive role in global systems.This manual will help you to formalize policies and procedures that are neededto formally document the IT operation. Doing sowill save both time and effort.This manual will help you identify standard operations and procedures, doc-umenting as needed, but still allowing for special needs.

Reality check: End-user computer systems will grow with or without theguidance of corporate IT, but the twoworking together will provide synergisticdividends. This manual updates the policies and procedures that can expediteyour objectives.

Our research discovered many well-run information systems operationsand some real disasters. The better ones had noticeably good managementand practical documentation. Expensive consultants, fad innovations, andcutting-edge technology did not always produce the desired IT results.

IT Governance Policies & Procedures is a compilation of systems policies andprocedures—the best practices within the industry—in current use. Thismanual is a process development tool that any seasoned information systemsmanager, working in a large or small IS operation, will find useful.

SAVING YOU TIME

In addition to the background information, you need to create policies specificto your organization. Sample policies are included with each chapter, whichyou can use as a starting point for developing your own resource by copyingthe sample policies, which are available online at WoltersKluwerLR.com/ITgovAppendices. Of course, you can also make needed changes and post themanual on a local area network or even a company intranet site.

xxii

PREFACE

ACKNOWLEDGMENTS

Michael dedicates this book to his teacher and mentor, George Jenkins, whoseencouragement and support have been invaluable over the years, and to hiswife and best friend, Tami, for all her support during his many projects.

Larry gratefully acknowledges the assistance of his wife, Nancy, in prepar-ing this project.

xxiii