Implementing IT Policy

[TiG]

With my recent promotion to take over the running of IT of the company I work for (in addition to my technology/dev role of the speech recognition telephone systems), i've realised just how much there is to put in place for a company that doesn't do process well.

I've taken a step back and realise there are huge gaping holes in what exists and what needs to be put in place.

Lets start with the most important. (I have a brand new domain setup and almost ready to go with migration planned to fix some of the legacy issues - poor password/security policy. Backup proceedure usually takes 18hrs at the moment, new process in place backups all of the data in 1/9th the time)

I've started on the new things such as :-
IT new joiner/leaver policy
Remote access VPN policies (already improved current setup with audit trail and encryption)

Document policy is next on my list and the version control of the non development department is SHOCKING, i've checked one of our customer files and found 7, yes 7 versions, unlabelled of the same documents in different directories off the main sub folder.

There is no order to any of it, Thoughts to resolve this and bear in mind the company doesn't do process, is to slowly migrate people to a sharepoint 2007 install, at least that way i'm going to get some measure of control over document management and version control.

E-mail policy is already agreed but isn't being followed but thats easy to deal with.
Web access is under control after a few people got a shock when their manager presented them with their traffic figures for two days worth of internet access.

Question is what am I missing?.

TiG

[DR]

the best way to enforce it is with a graphite rod...

[burble]

Before you start implementing policy, make 100% sure that it can be enforced. A mate of mine setup some very sound policies but his management were too weak to do anything to enforce it (despite them agreeing to his proposals) so when the policies were largely ignored he was left looking like a right little hitler to some people in the company.

[Moby-Dick]

Have you looked at any of the MOF/ ITIL stuff Tony ?

[TiG]

Before you start implementing policy, make 100% sure that it can be enforced. A mate of mine setup some very sound policies but his management were too weak to do anything to enforce it (despite them agreeing to his proposals) so when the policies were largely ignored he was left looking like a right little hitler to some people in the company.

ahh you don't appreciate that i don't mind being the bad guy. But yes i'm well aware of that issue and while I appreciate the word of caution around this, its not just this that i want to understand its other things that i should be agreeing and documenting.

Things like asset management?, Software licencing etc.

Moby, good call - i'll have a read through later.

TiG

oh did i add i have a minion too

[timread]

USB device policy springs to mind (USB flash drives). Do you block write access to these by default?

Does your email policy cover staff requests to access each other's mailboxes (e.g. during sickness, leave etc)? That's a very common one - you could require HR and/or VP approval on that.

[Moby-Dick]

ahh you don't appreciate that i don't mind being the bad guy.

he's darn good at it too

Minions are the clear way forward.

Hopefuly the ITIL way will help get some order in where there was none.

the biggest problem in those kinds of things is change management.

[TiG]

USB device policy springs to mind (USB flash drives). Do you block write access to these by default?

Does your email policy cover staff requests to access each other's mailboxes (e.g. during sickness, leave etc)? That's a very common one - you could require HR and/or VP approval on that.

I'm actually very aware that i've got complete and total access to everything, which did raise the question of how do i police myself....

But luckily i've got that covered too, e-mail archiver to back up everything for compliance acts as a much better solution than giving carte blanche access to mailboxes. If you want an e-mail you need to know exactly who from, what time etc for me to be able to provide it back from the system.

Works fairly well and the emphasis on knowing what you are requesting works quite well from the abuse aspect.

As for Change management, i've got a complete IT fault and IT project register tracking everything done since i've taken over. I've had 3 years of complete IT incompitence here and if i've going to be able to change anything i do need to change attitudes (hearts and minds people )

Telling them and physically/electronically being able to demonstrate how things have improved is essential for me to be able to distinguish me from the muppets that have come and gone.

TiG