CreatingPolicies
1.IdentifytheNeedforaPolicy
Youwanttohavethenecessarypoliciesandprocedurestoensureasafe,
organized,convivial,empowering,nondiscriminatoryworkplace.Yet,youdo
notwanttowriteapolicyforeveryexceptiontoacceptedandexpected
behavior.Policydevelopmentisforthemanyemployeesnotforthefew
exceptions.
Consequently,youdonotwanttocreatepoliciesforeverycontingency,thus
allowingverylittlemanagementlatitudeinaddressingindividualemployee
needs.Conversely,youwanttohaveneededpolicies,sothatemployees
neverfeelasiftheyresideinafree-for-allenvironmentoffavoritismand
unfairtreatment.Thesetenstepswilltakeyoufromdeterminingtheneedfor
apolicythroughdistributingandintegratingapolicy.
2.CheckOutTheseGuidelinestoSeeifaPolicyIsNeeded
Foreachofthereasonsprovidedaboutwhyapolicymightbenecessary,we
haveprovidedexamplesofthepoliciesthatmightfallintothatcategoryof
needforapolicy.Apolicyisnecessary:
?
iftheactionsofemployeesindicateconfusionaboutthemost
appropriatewaytobehave(dresscodes,emailandInternetpolicies,
cellphoneuse),
?
ifguidanceisneededaboutthemostsuitablewaytohandlevarious
situations(standardsofconduct,travelexpenditures,purchaseof
companymerchandise),
?
whenneededtoprotectthecompanylegally(consistentinvestigationof
chargesofharassment,non-discriminatoryhiringandpromotion),
?
tokeepthecompanyincompliancewithgovernmentalpoliciesand
laws(FMLA,ADA,EEOC,minimumwage),
?
toestablishconsistentworkstandards,rules,andregulations
(progressivediscipline,safetyrules,breakrules,smokingrules),and
?
toprovideconsistentandfairtreatmentforemployees(benefits
eligibility,paidtimeoff,tuitionassistance,bereavementtime,juryduty).
Theremaybeotherreasons,additionally,forwhyyoumaywanttodevelopa
policy.Remember,though,thatoneemployee''spoorbehaviorshouldnot
requireapolicythatwillaffectallotheremployees.
3.ArticulatetheGoalofthePolicy
Onceyouhavedeterminedthatapolicyisnecessary,determinethegoalyou
wanttoaccomplishinwritingtheparticularpolicy.Whenpossible,youwill
wanttotellemployeeswhythepolicyisbeingimplemented.Youneed
enoughdetailsinthepolicytomakethecompany’spositionclear,yetyoucan
neverhopetocovereverypotentialsituationaddressedbythepolicy.
Consequently,mygoalwithapolicyisshortandsimple.Irecognizethismay
notbepossiblewithpoliciesaboutareassuchasthecompany''sapproachto
theFamilyMedicalandLeaveAct,discriminationorcomplaintinvestigation,
ortheprogressivedisciplinesystem.But,howmuchcanyoureallysayabout
drivingwhiletalkingonacellphone?So,usecommonsenseasyou
determinetheoutcomeyouwantfromyourpolicy.
4.DevelopandWritethePolicy
Withgoalsandsamplesinhand,writethepolicyusingsimplewordsand
concepts.Speakdirectlytothepeoplewhowillbereading,enforcing,and
livingbythepolicy.Aftereachparagraph,askyourself"whatif"questionsto
makecertainthepolicyiscoveringthebasicsandthenormalexceptionsand
questions.Donotobsessoverthis,however;asstated,nopolicyevercovers
everypossiblecontingency.
5.ReviewthePolicy
Selectseveralemployees,orevenasmallpilotgroup,toreadthepolicyand
askanyquestionstheymighthaveaboutthepolicy.Thisreviewprovides
feedbackthatemployeeswillbeabletounderstandandfollowthepolicy.
Rewritethepolicybasedonthefeedback.
6.ObtainManagementSupportforthePolicy
Reviewthepolicywiththemanagerswhowillhavetoleadandputintoeffect
thepolicy.Youwillwanttohavetheirsupportandownershipofthepolicy.You
willhavestartedthisprocessmuchearlier,evenasearlyaswhenyou
identifiedtheneedforthepolicy,butmanagementsupportasyouimplement
thepolicyiscrucial.
7.ObtainLegalReviewofthePolicy
Ifthepolicyhaslegalimplications,islitigiousbyitsnature,haspersonal
implicationsforemployees(suchassecurityprocedures),youwillwantto
haveyourattorneyreviewthepolicybeforeyoudistributethepolicyfurther.
Makesureyoucommunicatetoyourattorneythatyoudonotwantthepolicy
rewrittenin"legalese."Youwantthepolicyreviewedforlegalimplicationsand
appropriatewording.
8.ImplementthePolicy
Insmallgroups,individually,orinacompanymeeting,dependinggenerally
onthecontroversialnatureofthepolicyandtheeasewithwhichitwillbe
understood,distributeandreviewthenewpolicy.Giveemployeesachance
toaskquestions.
Thepolicyshouldalwaysconsistofthepolicyonapieceofpaperwiththe
employeesignoffonasecondsheet.Employeescansignoffthattheyhave
receivedandunderstandthepolicy,yetretainacopyfortheirownfiles.
Thisisasamplesignoffstatementtouse:
Iacknowledgereceiptofandunderstandingofthe(YourCompany)Policy.
Thepolicyiseffective(Date)untilfurthernotice.
_______________________________________________________
EmployeeSignature
_______________________________________________________
EmployeeName(PleasePrint)
________________________________
Date
9.DecideHowYouWillCommunicatethePolicyintheFuture
Includethepolicyinyouremployeehandbook.Youmayalsowantthepolicy
tobecomepartofyourNewEmployeeOrientation.Somecompaniesplace
policiesintheirIntranetorinapolicyfolderonthecomputernetwork''s
commondrive.Determinewhetheryouwillwanttodistributethepolicyby
additionalmethods.
Youwillalsowanttoarchiveanddateformerpoliciesthatthispolicyreplaces.
Youmayneedthemforlegalorotherreferenceinthefuture.
10.InterpretandIntegratethePolicy
Nomatterwhatyouwriteinthepolicy,yourlaterpolicyapplicationandwork
practiceswilldeterminetherealmeaningofthepolicy.Think"consistent"and
"fair"asyouinterpretthepolicyovertime.Whenyoufindyourpractices
differingfromthewrittenpolicy,itistimetoreviewandrewritethepolicyand
thecyclestartsagain.
ITServices
Policies,ObjectivesandScope
Process:SecurityManagement
Status:Indraft
UnderReview
SentforApproval
Approved
Rejected
Version:<>
ReleaseDate:
Policies,ObjectivesandScopeforSecurityManagement
Thedocumentisnottobeconsideredanextensivestatementasitstopicshavetobe
genericenoughtosuitanyreaderforanyorganization.
However,thereaderwillcertainlyberemindedofthekeytopicsthathavetobe
considered.
11.PolicyStatement
Acourseofaction,guidingprinciple,orprocedureconsideredexpedient,prudent,or
advantageous
12.ObjectivesStatement
Somethingworkedtowardorstrivenfor;agoal
Usethistextboxtoanswerthe“SENSEOFURGENCY”questionregarding
thisprocess.
Whyiseffortbeingputintothisprocess?
Notsimplybecausesomeonethinksit’sagoodidea.Thatwon’tdo.The
reasonhastobebasedinbusinessbenefits.
Youmustbeabletoconciselydocumentthereasonbehindstartingor
improvingthisprocess.
Isitbecauseoflegalrequirementsorcompetitiveadvantage?Perhapsthe
businesshassufferedmajorproblemsorusersatisfactionratingsareatthe
pointwhereoutsourcingisbeingconsidered.
Apolicystatementanybiggerthanthistextbox,maybetoolengthytoread,
losetheintendedaudiencewithdetail,notbeclearlyfocussedonanswering
theWHYquestionforthisprocess.
Usethistextboxtoanswerthe“WHEREAREWEGOING”questionregardingthis
process.
Whatwillbetheendresultofthisprocessandhowwillweknowwhenwehave
reachedtheendresult?
Willweknowbecausewewillestablishafewkeymetricsormeasurementsorwillit
beamoresubjectivedecision,basedoninstinct?
Agenericsamplestatementonthe“objective”forSecurityManagementis:
TheobjectofSecurityManagementistoensuresuchalevelofsecurity,that
theagreedavailabilityoftheinfrastructureisnotcompromisedandthatthe
capabilityoftheITServicesandthesupportingInfrastructurecanbeprotected
inacosteffectivemannerinlinewiththeBusinessObjectives.Inadditionto
this,SecurityManagementwillperformoptimisationactivitiestoensure
constantimprovementsandalignment.
Notethekeywordsinthestatement.ForthestatementonSecurityManagement
theyare“costeffective”and“notcompromised”.Thesearedefiniteareasthat
wecansetmetricsforandthereforemeasureprogress.
Anobjectivestatementanybiggerthanthistextbox,maybetoolengthytoread,lose
theintendedaudiencewithdetail,notbeclearlyfocussedonansweringtheWHERE
questionforthisprocess.
Usethistextboxtoanswerthe“WHAT”questionregardingthisprocess.
Whataretheboundariesforthisprocess?
Whatdoestheinformationflowlooklikeintothisprocessandfromthisprocessto
otherprocessesandfunctionalareas?
Agenericsamplestatementonthe“scope”forSecurityManagementis:
TheSecurityManagementprocesswillberesponsibleformeasuringand
settingsecuritymeasuresinvolvingthefollowingaspectsoftheIT
Infrastructure:
?
Hardware
?
Software
?
SystemSoftware
?
Etc
SecurityManagementwillnotberesponsibleforthosecomponentsthatexist
underthebannerofApplicationsDevelopment.SecurityManagementissues
willbenotreportedtotheServiceDesk,viatheIncidentManagementprocess,
theywillbereporteddirectlytothesecuritymanager.
AvailabilityManagementwillimplementtherequirementsasdescribedinthe
SecurityManagementpolicy.
Anscopestatementanybiggerthanthistextbox,maybetoolengthytoread,losetheintended
audiencewithdetail,notbeclearlyfocussedonansweringtheWHATquestionforthisprocess.
13.ScopeStatement
Theareacoveredbyagivenactivityorsubject
TheaboveScopeStatementwas;
Preparedby:
On:<>
Andacceptedby:
On:<>
|
|
