IT Authority Policy

I often write draft policy documents for my clients. I thought I'd go through a refresh those documents, and begin a blogging series that highlights the importance of Administrative Controls.

Administrative Controls are a "best practice" approach to managing information technology assets. They are the policies, procedures, and work instructions that convey management's expectations governing the use of those assets. These controls demonstrate management's interest and engagement in the process of managing information technology.

The risk concerning Administrative Controls is found in their absence, especially in areas of technical compliance. If management never bothered to create a policy governing their IT assets, they never bothered to create and communicate expectations to their employees, shareholders, or consumers, and therefore it could be construed they never intended to manage their IT environment in the first place. That lack of attention could be thought of as negligence, like, "why didn't management take reasonable, 'best practice' precautions in managing their stuff, anyway?"

In legal terms, management loses a "due care" argument: they never understood nor accepted the risks for managing their IT environment and never took "due care" obligations seriously. That becomes a hole in their defense of a negligence claim. 

The first policy I help my clients introduce is the IT Authority Policy. The IT Authority Policy identifies the executive responsible for implementing the suite of IT policies and procedures. This is the party responsible and accountable for IT policy implementation. This document serves as authorization from the chief executive or board of directors, delegating authority for managing the IT problem, and becomes the basis from which all other IT Policies are drafted.

This is a reasonable Authority Policy that can be modified to suit your needs; it is intended for use with a small to mid-range business. Have fun with it. Meanwhile, stay tuned for more policies and procedures that'll be introduced through my blog and available eventually from my website.

R