IT has always had to support audits and certifications and navigate through what seems like constantly changing requirements. Compliance was visible to the board and IT had to answer to the board. That visibility, though, was rarely outside the building – and historically more top of mind for the CFO, the audit committee, internal audit and the CIO.
You’ve got CIOs who have been dealing with control requirements while cybersecurity, privacy and other technology related risks grow daily. Then along comes the explosion of digital technologies sparking businesses to explore new business models, new lines of business and using new channels of delivery – and new uses of data, the volume of which grows constantly.
As one reaction to the growing breaches of personal data, the European Union passed the GDPR – the General Data Protection Regulation. GDPR is a continuation of data protection regulations we’ve seen in the past like HIPAA; however the GDPR is more consumer based and hence spans more industries.
How are you going to bring balance between the need for control and the desire for speed and agility?
IDC’s new IT Policy Framework is a key part of a collaborative framework for managing digital disruption – it is the scaffolding on which to build a sturdy and connected approach to digital disruption. A modern technology policy framework needs to be “accessible” and understandable by those not used to the need for control and we’ve kept that in mind as we’ve developed this Framework.
IDC’s 7 Policy Principles for Data Governance
Consider these principles to help you “sell” the need for a framework to your partners in the LOBs, and to those who can mandate the adherence to policies.
- Policy as strategy: Developing policies around BYOD signals it as an organizational strategy; laying the foundation for more ubiquitous access to digital technologies within a framework of safety and privacy.
- Policy as change driver: Documenting, governing and communicating new policies signals changes in the way you did things before, clearly recognizing roles that are to be accountable. On the path towards GDPR compliance, organizations named a Chief Privacy Officer; a clear indication that things changing.
- Policy as a handbook: If you consider policy as strategy, what comes next? Tactical ways to enact that strategy – policies can take the guesswork out of some aspects of implementing strategy; they are “givens” when clearly documented. Reduced guesswork makes implementation move forward faster, safer and with confidence on the part of implementers that they are operating within a safety net.
- Policy as the playbook for the Digital Team: there are few areas more annoying in building a partnership than “non-communication of non-agreement”. When you clearly are at odds with your LOB partners, that’s something that you can work with and work on to find the areas of non-agreement. When you are working to build collaboration and you are not aware there is a difference of opinion, that can bite you in the end – but sometimes not for months. Different people view the meaning of phrases differently. Having a set of jointly worded, agreed upon policies can give you a common framework within collaboration can flourish.
- Policy to protect value, including people, processes, and assets: protection is really at the heart of most processes; for example, a 90 day Password Reset Policy lessens the probability of someone breaching the system. Standard laptop policies can forbid user installation of unapproved software, to reduce the risk of malware entering the enterprise. And so on.
- Policy to comply with regulations: having policies that exist, are approved and mandated, and are followed is a visible part of compliance. For example, having IT asset management policies is key to complying with the NIST Cyber Security Framework. That example shows the inter-relationships of policies within a policy framework.
- Policy for value/quality: Policies enable a standard, efficient foundation on which to provide a standard, high quality, consistent customer experience.
We have some next steps we’ll happy to share as you consider implementing a policy framework – watching this on-demand web conference will tell you more.
Cora Carmody is an adjunct research advisor for IDC’s IT Executive Programs.
Visit idc.com/itexecutive for more resources geared towards the IT and LOB leadership teams and information on research from IDC’s IT Executive Programs.