Font Size

- Aa +

Sun 26 Aug 2007 12:00 AM

Font Size

- Aa +

IT policies and procedures

Todd McGregor, managing director of Forrester Middle East, outlines a table of contents for IT procedures.

Part of any IT governance process is a set of documented policies and procedures that govern everything from procurement to security. Forrester has developed a table of contents to assist clients in getting started with the process of creating documented IT policies and procedures.

The individual policies themselves will be specific to each organisation, depending upon a number of factors, and not every organisation will necessarily incorporate every one of these policies.


Large IT organisations procure hundreds of millions of dollars of technology products and services each year, ranging from very small items up to multimillion dollar, multiyear outsourcing contracts. With as much as 12% of revenues being spent on IT and with IT accounting for more than half of all capital budgets, having explicit and consistent procurement policies is critical.

Procurement policies should include not only acquisition of goods and services but also their disposition. Furthermore, they should also include vendor management and asset manag-ement policies.


Computers are ubiquitous in the workplace today. Furthermore, there has been a growing shift away from desktop computers and toward laptop computers, which create their own set of issues because they often leave the premises with sensitive data on them. At the same time, the internet has also created an entire new set of issues with respect to computer usage. Hence, a comprehensive set of usage policies must be articulated. The policies need to address the usage of IT assets by both internal employees and external entities, including contractors, distributors, agents, and others.


The ubiquity of the internet and the world-wide web has required new policies to deal with internet access, website-related issues, and general networking-related activities.

Many companies today support multiple networks and both internet and corporate intranet sites supporting internal company functions. Furthermore, an increasing amount of electronic commerce is passing through these networks, creating its own issues and exposures. A clear set of guidelines articulating appropriate networking activities is required.

IT services

Many IT organisations are moving to a service delivery model to better reflect that day-to-day mission of providing technology-based services to their customers (users). To support this effort, they are establishing service catalogues and publishing them. Policies need to be formulated around these services. Services range from provisioning personal computers to providing e-mail.

Next steps

This is not meant to be an exhaustive, all-inclusive list. When in doubt about whether to include a policy or not, the best course of action is to include it and then reduce the list later.

Having a set of formalised, documented IT policies is only the first step. The policies must be communicated and available, preferably via the intranet, and they must be enforced. Policies that are merely words on paper serve no purpose.

Ultimately, policies are intended to protect the organisation and to provide a consistent, measurable way for people to interact with the IT organisation.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.