We are about to start assessing a client's IT policies and standards.
Note that the scope is beyond just security policies and standards,
and will encompass the broader IT policies and standards.
In addition to assessing the policy and standards management framework
(prioritisation of development / revision, ownership, approval, etc.),
we will be assessing the gap, i.e. missing policies and standards.
My questions is this: How would you go about determining the gaps?
The client's internal audit function has raised an audit finding
regarding missing policies and standards, but it is fairly
non-specific and does not give guidance on what IA think is actually
missing.
We will be interviewing the CIO and various IT Managers around the
globe, but expect that their input would be more on the usefulness (or
not) of the existing policies and standards, rather than what specific
documents they would like to see in the next year or two.
Approaching the problem from both ends, we would like to assess the
existing policies and standards against frameworks, i.e. CoBiT, ITIL,
ISO17799, ISF SoGP, etc. SANS Policies Project also comes to mind,
but is obviously security focused, as are 17799 and ISF SoGP.
Do you have any thoughts on:
- Additional frameworks that could be used
- The value of using the above frameworks
- Pitfalls of using the frameworks
One of the key considerations is the minimum set of required IT
policies and standards for an organisation. It would be very easy to
come up with a list of 100 policies and standards for the client to
develop. This is not feasible in virtually all organisations. How do
you determine the minimum set?
Thanks in advance
plokta
