Saturday, December 4, 2010

Study notes on Cobit: Communicating management aims and direction

Defining or maintaining IT policies, standards and procedures

Suppose that there has been a user in your company who lost many important files because the hard disk of his computer died. Obviously, he didn't save his files into the network drive. To prevent similar incidents again in the future, the chief information security officer proposed to make an addition (bold below) to the IT standard, which belongs to a certain IT policy and is shown below.
IT policy 10: All employees should take care of the information they created against possible failures.
IT standard 123: File handling

  1. All user files created must be saved to the network drive instead of the local hard disk.

  2. If some files (at the confidential level or above) must be put onto a portable device such as a USB disk (to acquire a USB disk, refer to procedure 456), the file must be password protected (refer to the technical procedure 789).

  3. ...

Procedure 456: Applying for USB disks

  1. Fill in the form xyz.

  2. Get the approval from the department manager.

  3. Get the USB disk from the service desk.

  4. Return the USB disk by the deadline stated on the form.

  5. ...

Technical procedure 789: How to encrypt files

  1. ...

  2. ...

  3. ...

After defining or amending the policies, standards and procedures, depending on the authority of the chief information security officer, he may seek approval for this change (from the CIO or the chief risk officer of the company). But it is far from done yet, as the people will not automatically follow them.

Rolling out the IT policies, standards and procedures

So, he will need to inform all the people relevant (all users in this case) of the changes and the rationale behind it (if they don't understand the rationale, they will have no motivation to adhere to it). How?

  • Emailing them is a quick way but many people will simply ignore it. You may insist to get a reply and chase those who don't reply. But later people may simply reply to you without reading the mail.

  • You may conduct a briefing but it is very time consuming, in particular, for such a small change or if there are multiple locations in your company.

  • You may record a video to talk about the change and email them the link.

  • You may seek the help of the department managers to disperse this information.

  • Any other ways that you think is the most effective.

The above is for existing employees. What about new employees? Make sure the policies, standards and procedures are included in the orientation.


As you can imagine, it is difficult to get all people to understand the change, not to mention to really act according to it. So, it is almost always necessary to check if they're really doing it. That is, go to some users' PCs to check if there are any files saved locally (to save time, check against other terms in the IT standard or other standards). Of course, to perform such audits, you must get management approval first and inform the people in advance that audits will be conducted.