[ad_1]
Create an IT Policy Evaluation Tool to Evaluate an IT Policy
Lawrence Baiden
Northcentral University
TIM-7040 v3: Technology Policy and Strategy
Dr. Daniel Doss
April 4, 2023
Part 1: Create a Policy Evaluation Tool
In today’s business world, information technology (IT) policies play a crucial role in ensuring organizations’ effective and secure use of technology resources (Samimi, 2020).IT policies are guidelines and rules that govern an organization’s use of IT systems, services, and resources. However, merely having IT policies in place does not guarantee their effectiveness. It is crucial to evaluate these policies periodically to ensure that they align with the organization’s goals and objectives and mitigate potential risks. This report presents an evaluation tool for IT policies that can help organizations assess the effectiveness of their IT policies. The elements contained in this report include the title of the policy, the objective of the policy, expected improvements or controls to be mitigated by the policy, policy contents, stakeholders and users that need to observe the policy, evaluators, and approvers of the policy, distribution and communication, user awareness sessions, and revisions history.
The title of an IT policy should be a concise and descriptive statement that accurately reflects the policy’s purpose, scope, and intent. It should be clear, specific, and relevant to the policy’s subject matter while avoiding technical jargon or bias toward any group or individual. Considering the audience’s technical knowledge and expertise, the title should also be tailored to the target audience and the context in which it will be used. A well-crafted title can set the tone for the policy and help ensure it is well-received and understood by stakeholders and users.
The objective of an IT policy is a critical element that outlines its purpose and goals, providing a clear understanding of what the policy aims to achieve and how it will accomplish its objectives. It should align with the organization’s mission, vision, and strategic goals and be specific, measurable, achievable, relevant, and time-bound (Ishak et al., 2019). A well-written objective should be clearly defined, quantifiable, and achievable within a specific timeframe and contribute to the organization’s overall goals. For instance, an IT Security Policy’s objective could be to reduce the number of security incidents by 50% within the next 12 months, which is achievable, relevant, and time-bound. Such an objective helps the organization quantify the impact of the policy and track progress toward achieving its security objectives.
The section on expected improvements or controls to be mitigated by the policy describes the specific goals and objectives the policy aims to achieve (Lin et al., 2020). It outlines the risks and vulnerabilities the policy intends to address and explains how it will mitigate them. For example, an IT security policy might aim to improve the organization’s data protection by implementing data encryption protocols, limiting access to sensitive data, and enhancing user authentication processes. The expected improvements or controls should align with the policy’s objectives and provide a clear framework for stakeholders to understand the measures to mitigate risks and vulnerabilities. By clearly outlining the expected improvements or controls, the policy provides a roadmap for achieving its objectives and enables stakeholders to understand the rationale behind its guidelines and procedures.
The policy content should provide an overview of what the policy covers and does not cover. This section should also summarize the policies and procedures outlined in the document .The evaluation tool will include a comprehensive checklist that covers the following areas:
- Policy Scope and Purpose
- Policy Statement and Objectives
- Policy Definitions
- Policy Requirements
- Policy Compliance and Enforcement
- Policy Review and Revision
The stakeholders and users that need to observe the policy are individuals and groups who must comply with the policy’s guidelines. This includes employees, contractors, consultants, and third-party vendors accessing the organization’s IT resources. Other stakeholders, such as customers, partners, and regulatory bodies, may also need to observe the policy to comply with regulatory requirements or contractual obligations. The policy should identify these stakeholders and users and outline their roles and responsibilities in implementing the policy (Samonas et al., 2020). It should also explain the consequences of non-compliance to ensure that all stakeholders and users understand the importance of adhering to the policy’s guidelines and procedures.
The Evaluators and Approvers of an IT policy are responsible for reviewing and approving it. Evaluators review the policy and provide feedback on its content and effectiveness, ensuring it aligns with the organization’s goals, regulatory requirements, and industry standards (Benjamin’s et al., 2020). Approvers work with Evaluators to ensure that the policy is effective, efficient, and relevant, making necessary changes to keep it up-to-date. Evaluators and Approvers also ensure the policy is communicated to all relevant stakeholders and users, who understand their roles and responsibilities in complying with it. Ultimately, Evaluators and Approvers play a crucial role in developing and implementing effective IT policies that support the organization’s objectives.
The distribution and communication section of an IT policy outlines how the policy will be disseminated to stakeholders and users. It describes the channels of communication and methods used to ensure that all stakeholders and users receive the policy and understand its content. Organizations may use various channels such as email, company intranet, or employee training sessions to ensure effective distribution and communication. The section should also outline how stakeholders and users will be informed of any updates or revisions to the policy. The communication plan should ensure that all stakeholders and users receive and know the policy’s content. This can be achieved through awareness sessions, mandatory training, and providing access to the policy document in various formats.
User Awareness Sessions are an essential component of an IT policy aimed at educating stakeholders and users about the guidelines and procedures of the policy. They ensure everyone understands their roles and responsibilities to comply with the policy (Li et al., 2019). These sessions can be delivered in various forms, such as workshops, seminars, and online courses, either in-person or remotely. The sessions should be interactive and engaging to retain the information presented. Compliance rates and survey feedback can be used to evaluate the success of User Awareness Sessions, and the information received can be utilized to improve future sessions.
The revision history of an IT policy is a critical component that provides a record of all changes made to the policy over time. It includes the date of each revision, the reason for the revision, a brief description of the changes made, and the name and position of the individual responsible for approving the revision. Maintaining a detailed revision history ensures transparency and accountability in the policy’s evolution. It helps to ensure that stakeholders and users know the most up-to-date version of the policy and any changes made. By tracking the evolution of the policy, organizations can identify areas for improvement and ensure that the policy remains relevant and effective in addressing new and emerging threats to the organization’s IT infrastructure. Overall, the revision history of an IT policy is an important component that ensures the policy’s transparency, accountability, and effectiveness.
Part 2: Evaluate an Organization’s IT Policy
The organization chosen for this evaluation is the Arizona Strategic Enterprise Technology (ASET), the state’s central IT organization (ASET, n.d.). ASET provides IT services and solutions to over 30 Arizona state agencies. This report evaluates the ASET IT policy using an evaluation tool developed in the previous section. The web address for the IT policy is https://aset.az.gov/policies-standards-and-procedures. The IT policy chosen for evaluation is the ASET Social Media Policy.
The ASET Social Media Policy provides guidelines for the acceptable use of social media platforms by ASET budget units (BUs) while representing the organization. The policy aims to ensure that social media use aligns with the organization’s values and objectives and mitigates any associated risks. Personal social media use is not restricted but should not create a conflict of interest or affect job performance or the organization’s reputation. The policy specifies the types of social media platforms employees can use and requires compliance with applicable laws and regulations. Consequences for non-compliance are outlined, and the policy is subject to regular review and revision to remain relevant and aligned with the organization’s objectives and goals.
The evaluation tool for assessing the ASET Social Media Policy includes six criteria that cover the scope and purpose, policy statement and objectives, policy definitions, policy requirements, policy compliance and enforcement, and policy review and revision. Each criterion has a description and a scale showing the requirements for each level in the evaluation tool, as presented in Appendix A.
The criteria and rating scale were selected based on best practices in IT policy evaluation and the ASET Social Media Policy’s unique requirements. The policy’s scope, objectives, and requirements should be clearly defined, and the policy statement should be aligned with the organization’s goals. The policy definitions should be comprehensive and accurate, while the requirements should be complete and relevant. The compliance and enforcement measures should be clear to ensure that users understand the consequences of non-compliance. Finally, the review and revision process should be established to ensure the policy is up-to-date and aligned with the organization’s objectives. The rating scale for each criterion ranges from 1 to 3, where 1 represents the lowest level of compliance, and 3 represents the highest level of compliance. The scale helps assess each criterion’s compliance level and enables organizations to quantify the effectiveness of their IT policies.
The IT policy of Arizona Strategic Enterprise Technology (ASET) that we evaluated is the social media Policy (P5050). Here is the evaluation of the policy using the evaluation tool.
Figure 1
Evaluation Tool for Social Media Policy
| Criteria | Score | Comments |
| Policy Scope and Purpose | 3 | Clearly defined scope and purpose |
| Policy Statement and Objectives | 3 | Clearly defined statements and objectives |
| Policy Definitions | 3 | Clearly defined definitions |
| Policy Requirements | 3 | Fully relevant policy requirements |
| Policy Compliance and Enforcement | 2 | Partial measures for compliance or enforcement |
| Policy Review and Revision | 3 | Clearly defined policy review and revision |
The Social Media Policy of ASET is a comprehensive policy that covers various aspects of social media usage within the organization. The policy has a clear scope and purpose, and the policy statement and objectives are specific, measurable, achievable, relevant, and time-bound. The policy definitions are clear, concise, and easily understandable, and the policy requirements are relevant and appropriate for the organization’s needs and objectives. The policy review and revision process ensure its effectiveness and relevance. The Social Media Policy of ASET lacks measures for compliance and enforcement. The policy mentions that violations of the policy may result in disciplinary action, but it does not provide clear guidelines or procedures for handling such violations. Clear guidelines and procedures can lead to clarity and consistency in policy enforcement, undermining its effectiveness. Therefore, the policy needs to have well-defined measures for compliance and enforcement to ensure that the policy is followed and that violations are handled appropriately.
Recommendations to Improve the Policy
Develop Clear Guidelines for Compliance and Enforcement: The policy should include clear guidelines and procedures for compliance and enforcement. The guidelines should outline the consequences of policy violations, the process for reporting violations, and the steps to be taken in case of a violation. By providing clear guidelines and procedures, employees will know what is expected of them and the consequences of non-compliance.
Implement Monitoring and Auditing: ASET should implement a monitoring and auditing system to ensure that the policy is followed. The monitoring and auditing system should include regular checks of social media activities and reviews of policy compliance. This will help identify policy violations and ensure the policy is followed.
Provide Training and Awareness: ASET should provide regular training and awareness sessions to employees on the social media policy. The training should cover the policy guidelines, the consequences of non-compliance, and the importance of social media security. Regular training and awareness sessions will help employees understand the policy requirements and the consequences of non-compliance, reducing the risk of policy violations.
The ASET Social Media Policy is an example of how ASET uses IT policy strategically. The policy provides guidelines for ASET employees’ social media use, ensuring that confidential information is protected and the organization’s reputation is safeguarded. By implementing this policy, ASET is using IT policy to mitigate risks associated with social media use and ensure that employees’ behavior on social media platforms aligns with the organization’s values and objectives. Additionally, the policy provides a regular review and revision mechanism to ensure it remains relevant and practical, demonstrating ASET’s strategic approach to IT policy.
References
ASET. (n.d.). Retrieved April 7, 2023, from https://aset.az.gov/
Benjamens, S., Dhunnoo, P., & Meskó, B. (2020). The state of artificial intelligence-based FDA-approved medical devices and algorithms: an online database. NPJ digital medicine, 3(1), 118.
Ishak, Z., Fong, S. L., & Shin, S. C. (2019). SMART KPI management system framework. In 2019 IEEE 9th International Conference on System Engineering and Technology (ICSET) (pp. 172-177). IEEE.
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24.
Lin, C., Braund, W. E., Auerbach, J., Chou, J. H., Teng, J. H., Tu, P., & Mullen, J. (2020). Policy decisions and use of information technology to fight coronavirus disease, Taiwan. Emerging infectious diseases, 26(7), 1506.
Samimi, A. (2020). Risk management in information technology. Progress in Chemical and Biochemical Research, 3(2), 130-134.
Samonas, S., Dhillon, G., & Almusharraf, A. (2020). Stakeholder perceptions of information security policy: Analyzing personal constructs. International Journal of Information Management, 50, 144-154.
Appendix A
Scale of the Evaluation Tool
| Criteria | Description | Scale |
| Policy Scope and Purpose | The scope and purpose of the policy are clearly defined. | 1 – Not defined; 2 – Partially defined; 3 – Clearly defined |
| Policy Statement and Objectives | The policy statement and objectives are specific, measurable, achievable, relevant, and time-bound. | 1 – Not specific or measurable; 2 – Partially specific or measurable; 3 –Fully specific or measurable |
| Policy Definitions | The policy definitions are clear, concise, and easily understandable. | 1 – Not clear or concise; 2–Partially clear and concise; 3 – Fully clear and concise |
| Policy Requirements | The policy requirements are relevant and appropriate for the organization’s needs and objectives | 1 – Not relevant or appropriate; 2 – Partially relevant and appropriate; 3 – Fully relevant and appropriate |
| Policy Compliance and Enforcement | The policy compliance and enforcement measures are clear. | 1 – No measures for compliance or enforcement; 2 – Partial measures for compliance or enforcement; 3 – Clear measures for compliance and enforcement |
| Policy Review and Revision | The policy includes a review and revision process that ensures its effectiveness and relevance. | 1 – No review or revision process; 2 – Partial review or revision process; 3 – Full review and revision process |
[ad_2]
Testimonials
