Is Your IT Policy Working? IT Quality Assurance

This statement grabbed my attention this week. Mostly because it seemed to be concisely obvious (a good thing).

“You can generate all the polices that you want, but unless you have some kind of monitoring and enforcement mechanism, you don’t know if a policy is working or not,” says Bob Gorrie, information security project manager at USEC, a supplier of enriched uranium fuel for commercial nuclear power plants based in Bethesda, Md.

Source: Data loss start-ups sell out – Network World

Having spent more than a few years at Intel (read: manufacturing) I often view IT processes and relate them to manufacturing practices and see parallels. In a manufacturing world you would never think of establishing a process without establishing control limits and tests to tell whether you were operating within control limits. It would be a disaster for manufacturing to “run off the rails” and for you not to notice it until large quantities of defective goods were produced.

I think the same methodology (design process, design tests) is hugely beneficial to IT. Hooray for you (truly) for you if you are a practitioner of the “process determines results” school of thought in IT. And that you have great policies, broadly communicated and understood and practiced. But frankly, if you don’t have a way to routinely tell if your policies and processes are working the way you intend, you’re missing IT Quality Control.

In the context of NetVision, If you have great role definition and automation and processes for giving out rights and managing identities but you don’t have an arms-length (read: independent, 3rd party) check on the state of the system and the effectiveness of your controls – you probably are missing the element you need to stay on track for your desired goals and to improve.