IT Organizational Policy

Version: 1.00Issue Date: 10/28/2015

This IT Organizational Policy outlines and defines an effective IT structure ensuring the information technology function is properly lead, funded, and structured to meet organizational needs.

1.0 Overview

This IT Organizational Policy will help ensure that Information Technology functions are under the control of the Information Technology department, structure and priorities are clear, and sufficient funding is available to meet required needs.

2.0 Purpose

This IT Organizational Policy requires that the information technology function be properly lead, funded, with a structure that meets organizational needs.

3.0 Scope

This IT Organizational Policy applies to Information Technology Executives and IT management. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 IT Function

  • The information technology function must be lead by an executive such as a CIO which reports to the head of the organization.
  • The leader of the information technology function must be part of the executive steering group.
  • The information technology function must have a formal operating budget which is created, reviewed, and approved by upper management at least annually. The budget must include money for operations and maintenance and development of new projects and/or software.
  • A process must be created for creating, reviewing, and approving an information technology budget. The people that have authority to approve the budget and the people accountable to create the budget must be identified by the process.
  • Outsourced information technology services must be under the control of the information technology department.
  • The information technology department must be funded from the top and the upper management determines the funding levels of the various sections of the information technology department.
  • Policies are not allowed to be developed by one part of the information technology department (Policies cannot be developed in a vaccuum) but policies must be developed with all affected areas of the information technology department involved. When business decisions are required for part of the policy development decision making process, affected business departmens management and selected users must be involved.
  • Individual parts of the information technology department must not be allowed to override or block priorities set by information technology planning or steering committees.
  • The information technology department must be able to manage and implement information technology services and/or solutions required to support business needs.
  • The information technology department management must meet on a regular basis with management of the busines functions to keep them aware of information technology issues and functions provided by the information technology department.
  • The structure of the IT department should be reviewed annually to be sure it properly supports the business function as the organization changes.
  • The IT department should maintain maximum flexibility by using cross training and third party services to supplement or enhance the IT function.
  • A member of executive manager should be appointed as a sponsor of risk management efforts.
  • A risk management organizational section should be created. This section should promote good risk management practice.
  • The head of the risk management section must be allowed to directly access all management in the organization.
  • The head of the risk management section must have peer contacts in govermnent, law enforcement agencies, and businesses who are risk management specialists.

5.0 IT Roles and Duties

  • Areas of authority and responsibility must be defined and aligned with the organizational structure.
  • Information technology department roles and duties must be formalized with a job description and qualifications list. Activities of each job must be listed.
  • Job roles must be appropriate to the needs of the organization.
  • Job descriptions must specify required skills, qualifications, and responsibilities which include the responsibilities of security and information systems. The descriptions should include key goals and objectives of the position and tasks. The goals should be used to evaluate performance.
  • Required skills and experience for all information technology tasks must be formalised and job roles that have authority to perform the task must be authorized.
  • All information technology tasks must be assigned to one or more positions. If tasks are changed, the appropriate position descriptions must also be changed. New positions should be created when it is appropriate.
  • When job roles and responsibilities are created, segregation of duties must be applied so the job does not allow too much control in one position.
  • Training must be regularly conducted so staff members understand their job roles and responsibilities.
  • Employees should be cross trained to reduce reliance on key or critical personnel.
  • Documentation of information technology tasks and processes should be used to reduce the reliance on specific information technology personnel.
  • Personnel who fill information technology positions must be appropriately skilled as specified by the job descriptions.
  • A process must be created to review the staffing needs of the information technology department. The process must consider the skills required and the number of personnel required to perform the information technology function.
  • Review of the staffing needs of the information technology department must be performed at least annually. Senior management must review the results of the staffing assessment and take required action in an time frame that meets the needs of the business.
  • Information technology positions and tasks must be reviewed by information technology management (for the positions they supervise)at least annually. Changes should be made when necessary. Management must identify critical positions.
  • Where critical positions are identified, steps should be taken to be sure more than one individual can perform required tasks. Skill sets and availability of staff both internally and externally should be considered.
  • Retention plans for individuals in key positions that are critical to the organization should be in place.
  • A succession plan for each key position in the organization should be created so staff changes will not cripple the organization.
  • Staff must be at least annually assessed to determine their job performance and understanding of their job role and responsibilities.
  • The management structure of the information technology department must provide proper supervision for sections of information technology based on the critical nature of each function and internal control requirements.
  • A process for escelating issues through the management chain must be created, documented, and communicated to staff.
  • Information technology management must:
    • Appraise the effectiveness of staff that work for them.
    • Determine whether internal controls are adequate or too stringent and make corrections when needed.
    • Determine whether their staff have the resources and authority to do their jobs and take corrective action when needed.
    • Review key performance indicators.
  • Information technology managers must be chosen based on experience and skills.
  • Information technology staff hiring, compensation, and evaluation must be based on attitude, experience, and skills.
  • Information technology staff training must be based based on skills needs and criticality of the position.
  • Information technology managers are assessed based on their effectiveness as manager of a technical function.
  • Policies and procedures describing under what types of conditions that work may be outsourced and the type of work that can be outsourced must be defined.

6.0 Quality Assurance

  • The information technology department must include a function for measuring and tracking quality assurance (QA).
  • The information technology department quality assurance function must be independent of those who it monitors.
  • The quality assurance function should including assurance to be sure policies, procedures, and standards are followed and enforced.
  • The skills of the quality assurance function must include information technology skills, quality assurance skills, communication skills, and skills and knowledge about processes and policies.
  • The quality assurance function must be staffed well enough to perform their function effectively.
  • The quality assurance function must be supported and sponsored by upper management.
  • Methods to be used for finding, reporting, resolving, and escelating quality assurance issues must be documented in a process.
  • The effectiveness of the quality assurance function must be reviewed annually and the requirements for resources, the method of performing quality assurance must be included.

7.0 IT Security

  • The information technology department must include an independent security function which must be created by upper level management.
  • The security function must be staffed appropriately to perform its job.
  • The security function must be responsible for overall security of the organization.
  • The security function must be able to create and enforce security policies.
  • The job positions in the security function must be formally documented and include qualifications and duties to be performed.
  • Appropriate resources must be made available to meet business needs in support of the security function.
  • Monitoring of security measures may be delegated to other parts of the organization but the security function must remain accountable for those security measures remaining effective.
  • The leader of the security function must report to senior management.
  • Key performance indicators should be established to monitor the performance and effectiveness of the security function.
  • The security performance function performance should be compared to industry benchmarks where possible.

8.0 Data Ownership

  • A process must be created which is used to determine both the owner and the care taker (custodian) of data and systems in the organization. The process should include guidelines to help establish ownership and custodianship.
  • The roles and responsibilities of data and system ownership must be clearly defined and communicated to owners and custodians.
  • The roles and responsibilities of data and system custodianship must be clearly defined and communicated to owners and custodians.
  • Key stakeholders of systems and data must be defined by information technology management. Stakeholders may include managers, security officers, users, regulators, and suppliers.
  • Relationships between the business owners of data and systems must be assigned to information technology managers. Assignment of relationships between the business and information technology sides helps provide accountability.
  • Specific, Measurable, Attainable, Realistic, and Timely (SMART) goals of the IT to business relationships must be defined, agreed upon, documented, and communicated to the IT managers responsible. http://www.topachievement.com/smart.html
  • The persons that are responsible for managing the IT to business relationship must maintain regular contact and create plans to develop the relationship.

9.0 Policies and Compliance

  • An approval process for new or changed policies must be created.
  • Policies must be created, approved, and communicated in a timely fashion.
  • Specific persons must be made responsible for maintaining policies and the persons must have the necessary skills.
  • Specific persons must be made responsible for communicating policies and the persons must have the necessary skills.
  • Employment contracts must require compliance with policies along with enforcement using sanctions that may apply when policies are not followed.
  • A method must be used to gain acknowledgement from all users about their reading and understanding of policies, procedures, and standards that apply to their use or management of organizational resources.

11.0 Enforcement

Since following the IT Organizational Policy is important for the welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

12.0 Other Policies

  • Segregation of Duties Policy
  • IT Human Resource Policy

13.0 Additional Requirements

  • A process must be created for creating, reviewing, and approving an information technology budget.
  • A process for escelating issues through the management chain must be created, documented, and communicated to staff.
  • A process must be created to review the staffing needs of the information technology department.
  • Policies and procedures describing under what types of conditions that work may be outsources and the type of work that can be outsourced must be defined.
  • An approval process for policies must be created.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________