Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Policies, Standards, and Procedures
Management should adopt and enforce appropriate policies and procedures to manage technology risk. The effectiveness of these policies and procedures depends largely on whether they are used by internal staff and vendors. Testing compliance with these policies and procedures often helps to identify and correct problems before they become serious. Clearly written and frequently communicated policies can establish clear assignments of duties, help employees to coordinate and perform their tasks effectively and consistently, and aid in the training of new employees. Senior management should ensure policies, procedures, and systems are current and well documented.
In general, a policy is a governing principle that provides the basis for standards, and carries the highest authority in the organization. It is an overall statement of corporate philosophy or intent that reflects the best market practice. Standards are mandatory criteria that ensure corporate conformity with policy, government regulations, and acceptable levels of control. Procedures are typically documents that describe, in detail, the behavior or processes used to adhere to the criteria mandated by standards.
Financial institutions should create, document, maintain, and adhere to policies and standards to manage and control their IT environment. Documented procedures are one of the evidentiary elements that can demonstrate compliance to those policies and standards. The level of detail required is dependent upon the complexity of the IT environment, but should enable management to monitor the identified risk posture.