IT Policies are a set of systematic guidelines that provide a path to achieve IT goals. IT policies may be influenced by government regulation, such as FERPA or HIPPA laws. IT Frameworks take into account these laws and assist IT Professionals in creating a lawful and ethical set of IT policies. An access control policy is one example of policy that should take into account these government regulations.
IT Strategy vs. IT Policy
Main Similarities-
Both IT strategy and IT policy aim to maximize IT’s contribution to an organization’s business value. IT Strategy is a repetitive process that aims to align IT capability with business requirements and thus creates shareholder value. IT Policy is a set of systematic guidelines that provide a path to achieve IT goals. Enterprise Architecture, a form of IT strategy, is an example of IT strategy that helps the business achieve its goals. The NIST Cybersecurity Framework, a form of IT policy, is an example of IT policy that helps the business achieve its goals.
Both IT strategies and IT policies are dictated by top level management. Top level managers are the ones to align IT strategies and policies with the business goals. In some instances, mid-level managers may create sub-strategies or sub-policies. IT strategies and IT policies are created at the top-level in order to maintain a clear business direction and overall vision for the business. This enables an organization to align the strategies and policies with the business goals and create business value.
Both IT strategies and IT policies impact how employees approach certain situations. IT strategies provide employees with a certain business mindset in order to align employees approach to situations with the business goals and vision. IT policies provide employees with a set of do’s and don’ts in order to align how employees approach certain situations with the business goals and vision. The strategy mindset and policy set of do’s and don’ts impact employee’s decisions within the company.
Main Differences-
IT strategy sets what IT does, that is, outcomes and goal; IT policy sets (constraints on) how IT does it, that is, guidelines, procedures, methods, regulations and standards. IT strategies determine the reasoning for doing something, however, IT policies determine how or if something can be done.
IT strategies are flexible depending on the situation, but IT policies are fixed and uniform in nature. IT strategies do not determine how something is done but instead why something is done, thus the approach to these strategies can vary depending on the situation. However, IT policies do not change based on the situation. They can have some degree of situational awareness applied to them, but the actions taken do not conflict with the policies.
IT strategies are made for actionable goals, but IT policies are made for decision-making. IT strategies are made so that an end goal can be achieved, however, the approach and actions taken to achieve these goals are not specified in strategy guidelines. IT policies specify actions to take or not take, thus a decision needs to be made when encountering these situations.
Access Control Policy: An access control policy is a policy that specifically restricts access to assets or resources to only certain authorized users. Access controls use certain techniques or combinations of techniques in order to only allow the authorized users to access the assets and resources that are restricted. Access control techniques can include both physical controls and computer controls. Some examples of these are: electromagnetic locks, card readers, keypads, two-factor authentication, passwords, and multi-factor authentication. According to CSRC and NIST, in order “to assure the safety of an access control system, it is essential to make certain that the access control configuration (e.g., access control model) will not result in the leakage of permissions to an unauthorized principle.” Access control policies should be mindful of this. [1]
NIST Cybersecurity Framework – According to Wikipedia, “provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks.” [21]
Relationship with IT policy: Technology – The framework provides a guideline for standardized cybersecurity policies in order to prevent, detect, and respond to cybersecurity attacks.
Relationship with IT policy: Business – The framework provides a foundational structure for which IT cybersecurity policies can be aligned with business strategies.
The NIST Cybersecurity Framework [27] was first articulated in 2014 in response to President Obama’s Executive Order 13636. The intention was to provide a common, rigorous framework for organizations to protect their own as well as the nation’s critical infrastructure through risk management processes as well as other best-practice methods used in IT. Its stated features and intentions were stated as:
“Building from those standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to:
Describe their current cybersecurity posture;
Describe their target state for cybersecurity;
Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
Assess progress toward the target state;
Communicate among internal and external stakeholders about cybersecurity risk…
The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program. The organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one.”
As can be seen, this framework can be used flexibly by any organization to effectively set IT policy for its IT function in a manner compliant with best practices compliant with recommendations of the US Government. That has definite advantages and value for the IT profession, including, (according to the East Coast Polytechnic Institute) the following:
“The NIST Framework offers a lot of benefits to companies that choose to implement it, including:
Common language to address cybersecurity concerns
Improved collaboration between organizations, and easier sharing of new cybersecurity fixes and best practices
Easier regulatory compliance with various regulatory agencies
Improved use of security budgets
Avoidance of unnecessary or redundant cybersecurity measures
Demonstration of “due care”, which may reduce claims of negligence or inattention following a breach
Better understanding the cybersecurity risks present in supply chains”
These are just some of the benefits that using the NIST Cybersecurity Framework allows implementers. [28]