Free Essay

What Are Policies, Standards, Specifications, Procedures and Exception

In: Computers and Technology

Submitted By stylinlp
Words 666
Pages 3
What are policies, standards, specifications, procedures and exceptions

Policy An Information Technology Policy is the highest level of the Information Technology (IT) Governance Standards documents. An IT Policy sets the direction, tone and limits for the enterprise and IT, and the IT Standards which are developed under the authority of the Policy. A Policy should seldom change. IT Policies require compliance; failure to comply may result in disciplinary action. Exceptions can only be approved by the CIO. A Policy focuses on desired results, not on the means of implementation.

Accountabilities:
Oversight of IT Policies is the responsibility of IT Governance. Policies must be approved by the Chief Information Officer and the Enterprise Policy Council.

Standard Information Technology Standard

Information Technology Standards are the most often used documents in the IT Policies and Standards Library serving as a reference for employees, contractors, consultants, and other persons.

An IT Standard:
• Defines requirements around a topic. The requirements may range from very specific (i.e., only 3DES and AES encryption algorithms may be used.) to broad (i.e., Web applications must check for common vulnerabilities).
• Provides requirements without stating dynamic details. When dynamic details are important, an IT Standard may identify a requirement for the existence of a Specification or Procedure to contain those details.
• Reviewed annually. The frequency of changes for IT Standards will vary with the maturity of the Standards.
• Exceptions to a Standard must be documented and approved based upon a defined IT Compliance process.

Accountabilities:
IT Standards may be written or updated by anybody competent to write on the subject. IT Compliance will review the proposed change. IT Standards and changes to IT Standards must be approved by the Standard Owner. Each IT Standard must be reviewed by the IT Standard’s Owner annually

Specification An Information Technology Specification:
• Defines, describes, illustrates, and discloses the details necessary to meet the requirements of an IT Standard
• Is often the result of a requirement from one or more IT Standards and receive direction from the IT Standards
• Normally considered subordinate to one or more IT Standards, but this is not a requirement
• Is at the same hierarchical level as an IT Procedure. The content of each may refer to and support requirements of the other
• Are intended to contain the dynamic details, such as may result from technology changes; such dynamic information is not appropriate for the more static IT Standard
• Contain details such as settings used for a server build or currently supported server configurations
• Are sufficiently detailed that an appropriately trained person could understand and use the IT Specification for a repeatable process
• Are most often directly related to the activities of an IT work group
• Are often used as a baseline to audit group’s work implementing and maintaining IT infrastructure devices such as servers, routers or firewalls
• Exceptions to an IT Specification must be documented as directed in the IT Specification or by the IT Compliance exception process

Accountabilities
IT Compliance is responsible for deciding whether the details of an IT Specification are more appropriate for an IT Standard.

IT Specifications or Changes to IT Specifications:
• Must be authored by someone with sufficient competency to ensure that the requirements are appropriate
• Must be approved by the Manager responsible for implementation of the IT Specification
• Must be reviewed annually by the IT Specification owner

Procedure An IT Procedure:
• Defines an IT process used to complete an identified task
• Is frequently the result of a requirement from one or more IT Standards
• Receive direction from the IT Standard
• Normally considered subordinate to one or more IT Standards, but this is not a requirement
• Is at the same hierarchical level as a Specification
• The content of IT Procedures may refer to and support requirements of other IT Procedures
• Contain the details of internal processes such as the process for ordering hardware or the process for a firewall change
Accountabilities

The accountabilities of IT Compliance, IT Standard Owners, and IT Managers are the same as those for a Specification

Similar Documents

Free Essay

Time

...Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Information Security Program Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide September 14, 2005 Page i Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Table of Contents Table of Contents .......................................................................................... i Preface.........................................................................................................iii Document Change History ............................................................................iv 1. Introduction ....................................................................................... 1 1.1 1.2 1.3 1.4 2. 2.1 Purpose ........................................................................................... 1 Background...................................................................................... 1 Scope.............................................................................................. 2 Document Organization ..................................................................... 4 HIPAA Administrative Simplification Requirements ........................... 5 General Overview ............................................................................. 5 2.1.1 HIPAA Administrative Simplification Goals and Objectives ............. 5...

Words: 12363 - Pages: 50

Premium Essay

Breach Notification Rules

...Moreover, the impact of the Final Omnibus Rule (FOR) of 2013 on breach notification rules will be emphasized. Finally, the way head will be underscored. Background In August 1996, President Bill Clinton signed HIPAA, which is the single most significant federal legislation affecting the U.S. health care industry since the creation of the Medicare and Medicaid programs in 1965. The five primary goals of the HIPAA legislation are: 1. To improve portability and continuity of health insurance coverage for individuals and groups. 2. To combat fraud, waste, and abuse in the health care industry. 3. To promote the use of medical savings accounts. 4. To improve access to long-term health care services and coverage. 5. To establish standards for administrative simplification (HIPAA, 1996). The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was published in the Federal Register on August 24, 2009 by the Department of Health and Human Services (HHS), and became effective on September 23, 2009. During the sixty-day public comment period on the Interim Final Rule (IFR), HHS received approximately 120 comments (Coffield, 2009). HITECH Act requires the covered entity (CE) and the business associate (BA) under HIPAA...

Words: 1771 - Pages: 8

Premium Essay

Analysis

...Purchasing Policy and Procedures Issue date: March 2010 Table of Contents THE HOSPITAL PURCHASING POLICY 1 GOVERNANCE 4 PROCUREMENT REQUIREMENTS 6 PROCESSES 27 Appendices Glossary of terms Products and services Templates Mandatory Requirements Associated Policies THE HOSPITAL PURCHASING POLICY Objective To maximize value for money in the acquisition of goods and services through fair, open and transparent purchasing practices which comply with all applicable federal and provincial legislation and trade agreements, resulting in the highest quality service delivery. Policies 1. All purchases made by the Hospital will be compliant with the hospital’s policies and procedures. These policies and procedures will be aligned with the Ontario Supply Chain Guideline. All purchase orders and contracts will be executed according to this policy and the Hospital’s Signing Authority Policy ( insert link). Single/sole sourced purchases are acceptable only under circumstances defined in the associated purchasing procedures, and must be executed in accordance with the Agreement on Internal Trade. Vendors of Record (VOR), or preferred supplier arrangements, may be established for the supply of a certain category of goods, services or construction where strategic relationships with a small group of suppliers will result in greater value for the hospital. VOR’s must be set up through an open and competitive purchasing process. All purchasing related activities...

Words: 17672 - Pages: 71

Premium Essay

Importanat Terms of Java

...user interface (GUI) components that were implemented using native-platform versions of the components. These components provide that subset of functionality which is common to all native platforms. Largely supplanted by the Project Swing component set. See also Swing. Access control: The methods by which interactions with resources are limited to collections of users or programs for the purpose of enforcing integrity, confidentiality, or availability constraints. ACID: The acronym for the four properties guaranteed by transactions: atomicity, consistency, isolation, and durability. Actual parameter list: The arguments specified in a particular method call. See also formal parameter list. API: Application Programming Interface. The specification of how a programmer writing an application accesses the behavior and state of classes and objects. Applet: A component that typically executes in a Web browser, but can execute in a variety of other applications or devices that support the applet programming model. Argument: A data item specified in a method call. An argument can be a literal value, a variable, or an expression. Array: A collection of data items, all of the same type, in which each item's position is uniquely designated by an integer. ASCII: American...

Words: 6835 - Pages: 28

Premium Essay

Role of Project Management Information Systems in Project Management.

...punch-card machines; the cards were then processed by other machines some of which could print out results of tallies. Each card was the equivalent of what today would be called a database record, with different areas on the card treated as fields.  The initial idea of MIS was to process data from the organization and present it in the form of reports at regular basis. The system was largely capable of handling the data from collection to processing. It was more impersonal requiring each individual to pick and choose the processed data and use for his requirements. This concept was further modified when a distinction was made between data and information. Information is a product of analysis of data. However the data could be analyzed in different ways producing different shades and specification of information as a product. It therefore demanded that the system concept be an individual oriented since each individual has different orientation. This concept was further modified that the system should present information in such a format or form that it creates an impact to its user that it creates a decision or an investigation. It was later realized that even though that such an impact was a welcome modification, some sort of selective approach was necessary in the analysis and reporting. This development gave rise to the concept of exception reporting being imbibed in MIS. This was further developed to the extent...

Words: 2073 - Pages: 9

Free Essay

Applied Soa

...Applied SOA Service-Oriented Architecture and Design Strategies Mike Rosen Boris Lublinsky Kevin T. Smith Marc J. Balcer Wiley Publishing, Inc. Applied SOA Applied SOA Service-Oriented Architecture and Design Strategies Mike Rosen Boris Lublinsky Kevin T. Smith Marc J. Balcer Wiley Publishing, Inc. Applied SOA: Service-Oriented Architecture and Design Strategies Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright  2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-22365-9 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and...

Words: 218699 - Pages: 875

Premium Essay

Information Technology/Network Security Threats

...Protecting systems against various systems threats such as passwords and cracking tools with brute force or attacks into the system by gaining authentication for access rights including a password, policy, to educate the users. SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE. Each information security environments unique, unless modified to adapt to meet the organization’s needs. The System Development Life Cycle (SDLC) the system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Service decisions about security made in each of these phases to assure that the system is secure. The initiation phase begins with a determination of need for the system. The organization develops its initial definition of the problem that solved through automation. This followed by a preliminary concept for the basic system that needed, a preliminary definition of requirements, and feasibility and technology assessments. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. The information developed in these early analyses used to estimate the costs for the entire life cycle of the system, including information system security. An investment analysis determine...

Words: 1444 - Pages: 6

Premium Essay

Rfp Template

...Template: Template notes: ------------------------------------------------- The formats of RFP's used by companies and government agencies are seldom the same. The organization of the technical, management, and commercial information included in RFP's varies. There are six commonly used sections of information that procurement groups include in RFP's. We will use these six sections as a template for your RFP’s. ------------------------------------------------- 1. Instructions to Bidders 2. Description of Work 3. Proposal 4. Specifications and Drawings 5. Special Conditions ------------------------------------------------- 6. General Conditions and Contract Agreement The Instructions to Bidders provide sufficient information to bidders to allow them to prepare a responsive bid proposal. Most of this information is not required in the final contract for the work. The information in the Description of Work, Proposal, Specifications and Drawings, Special Conditions, and the General Conditions and Contract Agreement sections is included in the final contract for the work. The remainder of this template discusses each of these sections included in RFP's. Please feel free to type “N/A” under sections that are not applicable to your project and to add sub-sections as desired. Also, you will want to delete the description information (in blue) after you have added your data under each section of the template. How to make sure you are writing a comprehensive RFP: ...

Words: 4383 - Pages: 18

Free Essay

Acquistion

...Decisions in a practice scenario. Mission Support Strategy The mission support strategy is a systematic plan of action that aligns the organization's activities with its mission and objectives. The Terminal Learning Objective is: Given a customer need, reinforce areas of mutual interest within an acquisition environment (requiring activity, contractor, contracting office, others). The Enabling Learning Objectives are: * Apply the factors in development of your mission support strategy. * Apply the key characteristics for successful customer relationships. * Apply the Seven-step Path to Better Decisions. The Mission Support Strategy In learning about the organization's mission, you will discover: * What is a strategy? * What is my organization's mission? * How does acquisition fit into my organization's mission? * How do I fit into this mission? The dictionary defines the term strategy as an elaborate and systematic plan of action. Several key words are:...

Words: 46643 - Pages: 187

Free Essay

Mmmm

...[pic] This template has been developed to complement the Queensland Government Information Standards. The information contained in this document may be used as additional reference material by Queensland Government agencies when managing software. Agencies should consider the information provided as reference material and interpret it in the context of their own agency methodologies. ISO/IEC 19770-1 Audit Checklist This checklist has been developed to be used in conjunction with ISO/IEC19770-1 Information technology – Software asset management – Part1: Processes (the ISO Standard), and should not be used in isolation from this Standard. The checklist has been developed to assist agencies to perform self-audits to monitor their progress towards best practice in software license management. The checklist outlines elements that should be met in order to be fully compliant with the ISO Standard. It may be used by Agencies to guide where improvements can be made in managing software licensing. Each element may be audited separately to check on progress towards maturity in specifically targeted areas, however, compliance with all element will ensure that the agency is aligned with industry best practice in software license management. The ‘Evidence’ section of the checklist outlines possible evidence that auditors may consider when evaluating level of compliance. This list can be modified to reflect individual agency requirements and is not intended as an exhaustive list...

Words: 3033 - Pages: 13

Premium Essay

Project

...Enq: Thomas Mathiba TERMS OF REFERENCE DEVELOPING AND IMPLEMENTING AN IT –BASED PROJECT MANAGEMENT SYSTEM 1. PROJECT TITLE Developing and Implementing an IT-Based Project Management System 2. BACKGROUND Skills development is one of the major challenges facing the new South Africa on its way to improved living standards for the majority of the population, increased productivity levels and a higher competitiveness on the world market. The Skills Development Act promulgated in 1998 lays the foundation to redress the past by introducing new training systems which place special emphasis on enabling the formerly disadvantaged to actively participate in the country’s economic activities. Since the launch of the Skills Development Strategy in February 2001, a lot of Sector Education and Training Authorities (SETAs) have made significant contribution in taking forward the broad objectives of the Skills Development Act. Some SETAs have succeeded to effectively co-ordinate education and training programmes at the workplaces by using practical project management approach to manage the learnership implementation. Whilst project management was once the exclusive job of project managers who most often coordinated the activities of specialized, complex, large scale projects, in the more recent years, however, the role of project managers and project management has been changing. The applicability of the project management...

Words: 2557 - Pages: 11

Premium Essay

Human Resource Management Essay

...INTRODUCTION   “Management guru Tom Peters once joked that if you want to insult a Human Resources director ask him if HR stands for 'Human Remains.' The fact is HR is a universally misunderstood discipline whether you are a large or small company. But bringing in an HR presence into your growing business could be one of the most sensible decisions you ever make.” Source: (http://www.mybusiness.co.uk/Yc0-nCFoc2BfBw.html) This report has been designed to investigate the traditional view of personnel management and the new approach of human resource management; as well as to evaluate the procedures and practices used for recruiting and selecting suitable employees.                                                                         SECTION 1   Distinguishing between ‘personnel management’ and ‘human resource management’ and discussing the historical development and changing context in which they operate   Introduction ‘When the flexible concept of HRM emerged in the 1980s, in the times of Thatcherism and Reaganomics, it “could not help but look more desirable than personnel management” (Hope-Hailey et al 1997: 5). The attractiveness of the theory of managing personnel led to a proliferation of HRM language. Nonetheless, it remains to be seen if there is more to HRM than only a new and shining rhetoric. A number of authors stress the difficulties of identifying clear differences between personnel management and HRM, and maintain...

Words: 21647 - Pages: 87

Free Essay

Sql Server Security Best Practise

...SQL Server 2012 Security Best Practices - Operational and Administrative Tasks SQL Server White Paper Author: Bob Beauchemin, SQLskills Technical Reviewers: Darmadi Komo, Jack Richins, Devendra Tiwari Published: January 2012 Applies to: SQL Server 2012 and SQL Server 2014 Summary: Security is a crucial part of any mission-critical application. This paper describes best practices for setting up and maintaining security in SQL Server 2012. Copyright The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual...

Words: 15647 - Pages: 63

Premium Essay

Job Analysis

... | | |Lecture Outline | | | |Strategic Overview |In Brief: In this chapter, Dessler explains the uses of | | |The Nature of Job Analysis |job analysis information and carefully describes the | | |Uses of Job Analysis Information |methods of conducting a job analysis. The tasks of | | |Steps in Job Analysis |writing job descriptions and job specifications are also | | |Methods of Collecting Job Analysis Information |outlined. Finally, he discusses the trends of enlarging | | |The Interview |and...

Words: 4966 - Pages: 20

Premium Essay

Network Development Project

... Purpose 4 Goals and Objectives 5 Success Criteria 5 Project Context 5 Project Deliverables 6 Scope Specifications 6 Out-of-Scope Specifications 6 Assumptions 7 Constraints 7 Risks 7 Stakeholders 7 Recommended Project Approach 7 Cost Matrix 8 Security/Maintenance Plan 9 Introduction and Background 9 Budget 10 Roles and Responsibilities 10 System Administrator 10 Help Desk IT 11 Office Manager 11 Financial manager 11 Supervisors 12 Receptionist 12 Performance Measures and Reporting 12 Printers 12 Phones 13 Work stations and laptops 13 Serves 13 Routers and Switches 13 Software 14 Card Access System 14 Governance and Management/Security Approach 14 Customer/Business Owner Management and security 14 Standard Operations and Business Practices 14 Security 14 Data Sharing 15 Data Storage 16 Tools used for change control management 16 Problem reporting 16 Risk identification 16 Disaster Recovery 16 Documentation Strategies 16 Training 16 Security 17 Roles and Responsibilities 17 Network 19 Acceptance 20 Training Plan 20 Introduction 20 Scope 20 Training Approach 21 Curriculum 22 Evaluation 23 Testing Document 24 Test Set 1: Fault Tolerance 24 Test 1: Basic Failover 24 Test Set 2: Recovery 25 Test 2.1: Manual Recovery to a Second Machine 25 Test Set 3: Exception Handling 26 Test 3.1 Out-of-Order Startup Sequence 26 Test 3.2 Test Death of Naming...

Words: 11047 - Pages: 45