PO06 Process Description

PO06: Communicate Management Aims & Directions

1. Description

Policies and standards (to translate the strategic options into practical and usable user rules) established and communicated to the Client organizations.

2. Control Objectives

Positive Information Control Environment - Management should create a framework and an awareness program fostering a positive control environment throughout the entire organization by addressing aspects such as: integrity, ethical values and competence of the people; management philosophy and operating style; and accountability, attention and direction provided by the board of directors. Specific attention is to be given to information technology aspects
Management’s Responsibility for Policies - Management should assume full responsibility for formulating, developing, documenting, promulgating and controlling policies covering general aims and directives. Regular reviews of policies for appropriateness should be carried out. The complexity of the written policies and procedures should always be commensurate with the organisation size and management style
Communication of Organisation Policies - Management should ensure that organisational policies are communicated to and understood by all levels in the organisation
Policy Implementation Resources - After communication, appropriate resources should be earmarked by management for the implementation of its policies. Management should also monitor the timeliness of the policy implementation
Maintenance of Policies - Policies should be adjusted regularly to accommodate changing conditions. Policies should be re- evaluated, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness and amended as necessary. Management should provide a framework and process for the periodic review and approval of standards, policies, directives and procedures
Compliance with Polices, Procedures and Standards - Management should ensure that appropriate procedures are in place to determine whether personnel understand the implemented policies and procedures, and that the polices and procedures are being followed. Compliance procedures for ethical, security and internal control standards should be set by top management and promoted by example
Quality Commitment - Management of the information services function should define, document and maintain a quality philosophy, policies and objectives which are consistent with the corporate philosophies and policies in this regard. The quality philosophy, policies and objectives should be understood, implemented and maintained at all levels of the information services function
Security and Internal Control Framework Policy - Senior management should assume full responsibility for developing a framework policy which establishes the organisation’s overall approach to security and internal control. The policy should comply with overall business objectives and be aimed at minimisation of risks through preventive measures, timely identification of irregularities, limitation of losses and timely restoration. Measures should be based on cost-benefit analyses and should be prioritized. In addition senior management should ensure that this high-level security and internal control policy specifies the purpose and objectives, the management structure, the scope within the organisation, the assignment of responsibilities for implementation and the definition of penalties and disciplinary actions associated with failing to comply with security and internal control policies
Intellectual Property Rights - Management should provide and implement a written policy on intellectual property rights covering in - house as well as contract - developed software
Issue Specific Policies - Measures should be put in place to ensure that issue-specific policies are established to document management decisions in addressing particular activities, applications, systems or technologies
Communication of IT Security Awareness - An information technology security awareness programme should communicate the information technology security policy to each information technology user and assure a complete understanding of the importance of information technology security. It should convey the message that information technology security is to the benefit of the organisation, all its employees, and that everybody is responsible for it. The information technology security awareness programme should be supported by, and represent, the view of senior management.

3. Key Goal Indicators

Percent of IT plans and policies covering mission, vision, goals, values, and code of conduct which are developed and documented
Percent of IT plans and policies which are communicated to all stakeholders
Percent of the organization that has been trained in policies and procedures
Improved measure of user awareness based on regular surveys
Number of policies and procedures addressing information control

4. Key Performance Indicators

Time lag between policy approval and communication to users
Frequency of communications
Age of specific information policy documents (number of months since last update)
Percent of budget assigned to information policy development and implementation
Percent of policies that have associated operational procedures to ensure that they are carried out

5. Critical Success Factors

Policy enforcement is considered and decided upon at the time of policy development
A confirmation process is in place to measure awareness, understanding and compliance with policies
Well-defined and clearly articulated mission statements and policies are available
Information control policies are aligned with the overall strategic plans
Management endorses and is committed to the information control policies, stressing the need for communication, understanding and compliance
Management is leading by example
There is practical guidance with respect to implementation of policies and procedures
Diverse attention-catching methods are used to repeatedly communicate important messages
Information control policies are current and up-to-date
There is a consistently applied policy development framework that guides formulation, roll out, understanding and compliance

6. Service Maturity Variations

0 Non-existent	Management has not established a positive information control environment. There is no recognition of the need to establish a set of policies, procedures, standards, and compliance processes.
1 (Initial/Ad Hoc)	Management is reactive in addressing the requirements of the information control environment. Policies, procedures and standards are developed and communicated on an ad-hoc, as needed basis, driven primarily by issues. The development, communication and compliance processes are informal and inconsistent.
2 (Repeatable but Intuitive)	Management has an implicit understanding of the needs and requirements of an effective information control environment. However, practices are informal and not consistently documented. Management has communicated the need for control policies, procedures and standards, but development is left to the discretion of individual managers and business areas. Policies and other supporting documents are developed based on individual needs and there is no overall development framework. Quality is recognized as a desirable philosophy to be followed, but practices are left to the discretion of individual managers. Training is carried out on an individual, as required basis.
3 (Defined Process)	Management has developed, documented and communicated a complete information control and quality management environment that includes a framework for policies, procedures and standards. The policy development process is structured, maintained and known to staff, and the existing policies, procedures and standards are reasonably sound and cover key issues. Management has addressed the importance of IT security awareness and has initiated awareness programmes. Formal training is available to support the information control environment but is not rigorously applied. There is inconsistent monitoring of compliance with the control policies and standards.
4 (Managed and Measurable)	Management accepts responsibility for communicating internal control policies and has delegated responsibility and allocated sufficient resources to maintain the environment in line with significant changes. A positive, proactive information control environment, including a commitment to quality and IT security awareness, has been established. A complete set of policies, procedures and standards has been developed, maintained and communicated and is a composite of internal best practices. A framework for roll out and subsequent compliance checks has been established.
5 Optimized	The information control environment is aligned with the strategic management framework and vision and is frequently reviewed, updated and continuously improved. Internal and external experts are assigned to ensure that industry best practices are being adopted with respect to control guidance and communication techniques. Monitoring, self-assessment and communication processes are pervasive within the organization. Technology is used to maintain policy and awareness knowledge bases and to optimize communication, using office automation and computer based training tools.