A recent member request for assistance developing a coherent IT Governance Strategy resulted in some very meaningful feedback from other members.

Request from member: How does your company document, release, publish, and manage all the policies, procedures, etc. that make up your IT Governance? My problem is we are starting to pull together all our policies and procedures for our IT Governance, but I want to avoid a big pile or word docs. I’m hoping there is a better way.

Response from member A: I was hired for a brand new position built around management of security and IT governance in May of 2009. One of my first initiatives was to address this issue. We began an approach approximately one year ago that consisted of the following:

Step 1: Inventory of policy, procedure, standards documents. In addition to the employee handbook policies, which were pretty well maintained and organized, we found all sorts of informal procedure documents, memos, draft procedures and whatnot in a variety of shared folders. Most of the documents had questionable provenance – it was hard to tell which were still relevant, hard to tell draft documents from final, and we were sure that most employees were unaware of and unable to locate documents they needed.

Step 2: Creation of an Organizational Document Standard which defines and describes the types of documents we recognize – policies, procedures, process definitions, standards, guidelines, etc. This standard establishes common requirements for these documents, e.g. all must have an owner and approver, effective date, review schedule, etc. All organizational documents must be published on the organizational documents section of our intranet site.

Step 3: The next step was to create Word templates and examples for each document type.

Step 4: Using the process definition template, we created processes for the creation, approval, and period:ic review of organizational documents. This was necessary because of separate approval processes. For example, HR/employee handbook policies and policy changes are published in a web forum on our intranet site for employee comment before going to our board of directors for approval. Finance policies are reviewed by our finance committee. Standards and procedures are typically approved by our executive team.

Operation: We now have a standard, published method for creating, reviewing, approving, and distributing our documents, along with the basis for annual review and revision of documents. In the early stages, we looked at a plan for documenting our procedures, but the sheer number and frequency of change made this a pretty daunting prospect, with huge time commitment and questionable return. Creating a formal document type for process definition led to a business process inventory that tied into our business continuity plan. Now we have an inventory of about 130 business processes, and based on a business process impact analysis that came out of our BCP efforts, we have identified the 30 or so business processes that we consider critical. Now, instead of looking at potentially hundreds and hundreds of procedures to document, we are focused on about 30 critical processes – a much more manageable number! I have templates and samples that I would be happy to share.

Response from member B: I am a long-time technical writer working in IT who is now part of a relatively newly formed IT Governance department. I was assign to create our first manual on this subject and am nearing the completion of a first "final draft." To answer your questions, how does my company...

Document: Basically, this is a standard technical writing project. First, I interviewed manager(s) and we made a list of topics that were prompting the need for an IT policy manual. Then I went to the Internet and googled various topics, downloading things of interest. Finally, I went onto the NOREX site and scrolled through governance-related documents, pulling down related all governance-related items. Although I had already created a design and organization based on our documentation standards, I found the following document on NOREX to be the most helpful: NC-Long-IT Governance Manual 46-552. Using that manual as a basis helped me refine my structure and insure that I included all typical topics.

I organized the material into one file, edited the material one policy at a time based on my knowledge of the organization, and then began to "feed" the IT Governance manager with small clusters of policy, asking him to respond, which he did with further edits.

The productivity tool available to me is MS WORD. Through simpler formatting and a keener eye to keeping things compressed, I was able to bring the 200-225 page NOREX document to under 100 pages. Also, I liberally hyperlinked (rather than replicate) related procedures to policies. To assist hyperlinking I had to reorganize various folders and obtain access to other IT departmental folders, which IT Governance had intended to occur anyway.

Release: Our plan is to release the first "final draft" to the 6 heads of IT management, hopefully in September. The cover letter will explain that they should read and analyze the material and call if updates are needed. They will be responsible for consulting with their people. It will be made explicit that what is written in the policy will be the written standard for performance and operations going forward. Final approval will be sought, and there will be a soft deadline after which it will be assumed that publication will commence.

Publish: The document will be posted in the IT portion of our company Intranet. Anyone with access to the IT folders can browse, print or save the file at any time. It will be available for consumption to those who need to know, including auditors and examiners.

Manage: This document is added to my regular project schedule for an annual (or semi-annual?) review, and will be changed ad hoc as required.

Projected Impact on our Organization: This document is intended to represent how we run our shop. It will be the "face" of IT, internally and externally. We also anticipate better coordination of effort and better attention to procedures. People will know that IT policies "govern" their work. Trust this helps.

Response from member C: IT Governance policies are created by the Information Systems organization, usually IS Security. Policies are reviewed by the Human Resources and Legal departments before publishing. Documents are published to an internal website viewable by all associates and others on the network. Policies are communicated to email users. Security Awareness Newsletters are generated monthly and cover work and home subjects, as well as communicating policy statements with links to the entire policy. Mandatory yearly security training is performed online. Depending on the type of security procedures, they are housed in an online system requiring an ID and password, and is available to Security and Help Desk personnel.

The intranet website has a security website that includes:

• Policies and procedures

• Access requests and approvals

• Security newsletters

• Q&A

• Feedback

• and more