Академический Документы
Профессиональный Документы
Культура Документы
com/
IT Unified Compliance Framework
Organizational policies
A policy is a definitive plan or method of action to guide decisions and actions.
Policies should be selected from the various possible alternatives in the light of organizational conditions and the impact that
they will have.
Policies are meant to limit individual discretion to make decisions about which choices and actions (or behaviors) can be taken
regarding the topic in question. Because of this, a policy's intended purpose is to influence and guide both present and future
decision making to be in line with the philosophy, objectives, and strategic plans established by the organization's
management teams. In addition to policy content, well structured policies describe the consequences of failing to comply with
the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and
measured.
In practice, an organizational policy is a formal document describing the organization's position on a particular aspect of
compliance with regulations, standards, and guidelines. Therefore, it acts as an official statement of a position, plan, or course
of action established by an identified sponsoring authority, which is designed to influence, to provide direction, and to
determine decisions and actions with regard to a specific topic. Organizational standards, procedures, and guidelines flow
from policies.
Policies come in two basic forms; high-level policy statements and detailed policies.
Many times the high-level policy statements will have direct links to organizational standards and procedures, such as an
organizational policy for the destruction of electronic media (tapes, drives, etc.) that would then point to the organizational
degaussing standard and associated step-by-step procedures for more explicit information.
Detailed policies provide more in-depth information such as purpose, authority, and detailed definitions of sub-topics. Detailed
policies often have direct links to individual procedures for follow-through methods. A good example of a policy-procedure
pairing is an organizational records retention policy that details various definitions of record types and then links each type to
the procedures that need to be followed to carry out that specific portion of the policy.
Policies, because they are mandatory within the organization, are enforced by the organization under the auspices of the
Human Resources and/or Legal departments and failure to comply with a policy is generally punishable by disciplinary action
that could include suspension or even termination to the extent permitted by law.
Organizational standards
Standards are definitional and clarifying in nature and established either to further understanding and interaction or to
acknowledge observed (or desired norms) of exhibited characteristics or behavior. Organizational standards are used to define
the commonality of parts and processes. A standard can be:
1. An object or measure of comparison that defines or represents the magnitude of a unit.
2. A characterization that establishes allowable tolerances or constraints for categories of items and parameter
settings.
3. A degree or level of required excellence or attainment.
Thus, organizational standards may specify minimum performance levels, describe best practices within the company, or
serve as the list of controls (or their parameters) that the organization must follow in order to attain compliance within a given
area. In general computing terms, a standard is a set of detailed technical guidelines used as a means of establishing
uniformity in an area of hardware or software development.
Standards can be put in place to support a policy, a process, or as a response to an operational need. Like policies, well
structured standards will include a description of the manner in which noncompliance will be detected.
Because standards directly support organizational policies, they should be enforced with the same level of authority as the
organizational policy they clarify.
Document1
Organizational procedures
A procedure is a step-by-step description of tasks required to support and carry out organizational policies. Therefore, a
procedure can be thought of as an extension of a policy that articulates the process that is to be used to accomplish a control.
More formally, procedures are the step-by-step documentation of the course of action to be taken to perform a given task as a
series of steps, followed in a definite regular order, ensuring the consistent and repetitive approach to accomplish control
activities.
Because procedures directly support organizational policies, they should be enforced with the same level of authority as the
organizational policy they support.
____________________
Document1
Legal Sources
Federal Policy
Health Insurance Portability and Accountability Act
45 CFR Parts 160, 162, and 164 (HIPAA)
Family Educational Rights and Privacy Act 34 CFR
Part 99 (FERPA)
Computer Fraud and Abuse Act of 1986
USA PATRIOT Act
What is a Policy?
Definition
Application
Approval
Authority
Document1
Policy content and implementation are reviewed 12 months after initial approval under
the UTAS Policy Framework (Review 1). Thereafter, reviews are undertaken every three
years (Review 2 onwards)
Review
Timeframes
Minor amendment(s) to Policy are approved by the Director, Governance and Legal
Review Approval
Major amendment(s) to Policy are approved by the initial Approval Authority (ViceAuthority
Chancellor or Council)
What is a Procedure?
Definition
Application
University-wide application OR
specific to a Faculty, School, Centre, Institute or Division, Section or Work Unit.
Approved by a Policy Custodian, which includes:
Approval
Authority
the Vice-Chancellor
Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost, Pro Vice-Chancellor (Research), Pro ViceChancellor (Students and Education), Executive Director Finance and Administration,
Executive Director Planning and Development, Chair of Academic Senate and Deans
of Faculties
Heads of Schools and Centres
Heads of Administrative Sections/Work Units and
Directors/Principals of University Institutes.
Review
Timeframes
Procedure content and use is reviewed 12 months after initial approval under the UTAS
Policy Framework (Review 1). Thereafter, reviews are undertaken every three years
(Review 2 onwards)
Review
Approval
Authority
Minor amendment(s) to Procedures are approved by the Director, Governance and Legal
Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy
Maker)
What is a Guideline?
Definition
Application
University-wide application OR
specific to a Faculty, School, Centre, Institute or Division, Section or Work Unit.
Approved by a Policy Custodian, which includes:
Approval
Authority
the Vice-Chancellor
Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost, Pro Vice-Chancellor (Research), Pro ViceChancellor (Students and Education), Executive Director Finance and Administration,
Executive Director Planning and Development, Chair of Academic Senate and Deans
of Faculties
Heads of Schools and Centres
Heads of Administrative Sections/Work Units and
Directors/Principals of University Institutes.
Review
Timeframes
Guidelines content and use is reviewed 12 months after initial approval under the UTAS
Policy Framework (Review 1). Thereafter, reviews are undertaken every three years
(Review 2 onwards)
Review
Approval
Authority
Minor amendment(s) to Guidelines are approved by the Director, Governance and Legal
Major amendment(s) to Guidelines are approved by the initial Approval Authority (Policy
Maker)
Document1
What is a Standard?
Definition
Application
University-wide application OR
specific to a Faculty, School, Centre, Institute or Division, Section or Work Unit.
Approved by a Policy Custodian, which includes:
Approval
Authority
the Vice-Chancellor
Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost, Pro Vice-Chancellor (Research), Pro ViceChancellor (Students and Education), Executive Director Finance and Administration,
Executive Director Planning and Development, Chair of Academic Senate and Deans
of Faculties
Heads of Schools and Centres
Heads of Administrative Sections/Work Units and
Directors/Principals of University Institutes.
Review
Timeframes
Standards content and use is reviewed 12 months after initial approval under the UTAS
Policy Framework (Review 1). Thereafter, reviews are undertaken every three years
(Review 2 onwards)
Review
Approval
Authority
Minor amendment(s) to Procedures are approved by the Director, Governance and Legal
Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy
Maker)
Document1