Best Practices for Policies and Standards Maintenance

The following list of activities and advice comes from leading practices in policy and standards development and management experts. It was culled from years of experience and is offered so that you can avoid many of the pitfalls others have experienced when developing a library:

  • Ask yourself the key questions of who, what, where, when, why, and how as you set out to research and develop policies and standards.
  • Base your decisions on core information security principles to support business objectives. Because there are no universal recipes for developing policies and standards, you need to rely on principles to advance the cause.
  • Establish a cohesive and coherent document organization taxonomy that leaves you with room for growth and changes.
  • Use common templates for each type of document and stick with them. Nothing leads to confusion more than different document styles that are intended to meet the same purposes.
  • Use a collaboration tool for developing documents that allows others access to drafts early in the development cycle. It should be easy to solicit reviews and comments.
  • Establish a repeatable review process for your draft documents. The process should consider a representative sample of people who will be affected by new policies and security controls.
  • Publish your library in a form that your organization is already using. Introducing new technology for distributing policies and standards at the same time you publish the documents may cause unnecessary confusion.
  • Use a broad variety of communications and awareness media and techniques to reach a wide audience. Keep your message consistent and easy to understand.
  • Establish a policy change control board to help identify major changes to the library and to keep it up to date.
  • Create a “lessons learned” process to improve the policy through feedback and review of major events.
