OC CIO Roundtable Minutes 11-13-08

Southern California/Orange County CIO Breakfast Round Table
November 13, 2008 meeting

Present: Andy King, Tina Haines, Sean Brown, Jim Sutter, William Zauner, John Pringle, Dave Loomis, Dave Phillips

We welcomed Dave Loomis, ex-Barnes & Noble, IBM, and Siemens to his first meeting.

The minutes of this and prior breakfasts are available online at the Peer Consulting Group’s website, www.peergroup.net, with links to the presentation material, when available.

Topic: IT Policies

Andy King, Exemplis Corporation, defined a policy as a statement of intent intended to influence and determine decisions, actions and other matters, for example: a company’s personnel policy. Reasons for having IT policies include prevention of abuse of IT resources, protection of owners and employees, provide guidelines for IT management decision making, integrate with corporate governance, and to meet regulatory, legal, and ethical requirements. Andy had a couple of slides defining where IT policies fit in an organization. Andy listed every IT policy he found - about 33 in total – and focused on the 7 major policies that Northwestern University have developed. These include policies on security, network/infrastructure, hardware, software, residential network, email and external vendors. Each of these can be expanded to multiple sub-policies. He showed us how the security policy expands into 9 sub-policies. I recommend that you refer to Andy’s presentation slides for detail listings. Andy also circulated examples that he gathered from organizations as varied as a mature indutrial (1 long legal 14 page policy document), several universities policies statements, and a government IT policy. He also listed reference items such as http://www.itgi.org/ (IT Governance Institute), and the British Standard ISO/IEC 38500:2008 on corporate governance of IT

We asked members to tell us what IT policies they have or would recommend.

Tina Haines, Meggitt Electronics, in the continuum of time, they have developed sets of IT policies, but they are not very well coordinated. The company has 35 IT groups which they are just now pulling them all together. The first step is to develop a common set of standards. They intend to develop policies regarding protection of data, security of equipment, email, etc. They are also attempting to install rigorous IT change control and DR. They do have accounting policies in place.

Sean Brown, RJTCompuquest, said that they have a very limited set of IT policies in place. Customers have their own and their consultants have to abide by those policies. They find that it is quite difficult (3 or 4 days) to gain access to customer’s computing resources because of the access policies in place.

Jim Sutter, Peer Consulting Group, said his philosophy over the years has been fewer policies are better than too many, and if the current financial crisis is anything to go by, having policies in place doesn’t seem to guarantee proper behavior. Policies should capture a set of rules, and IT policies should be part of corporate policies, just like HR policies. When he was at Rockwell, he had the same person who drafted IT strategies in charge of drafting IT policies

William Zauner, JAMS, relating to the handout document, agreed that one paragraph could easily turn into many pages of legal policy. He had an outside council work with the HR department draft the HR policies. What he tries to do is fix behavior rather than define policies on things like password protection, and intellectual property protection when external contractors are involved.

John Pringle, ex-RCMT, said that they did not have many policies until SOX compliance became an issue. A manual was developed and they all had to sign a document to acknowledge having read the manual. To control internal usage of the Internet they use a content filter. They also have asset management policies. More and more customers are requiring their consultants to comply with their policies. The top security issue is access to data.

Dave Loomis said that when he worked with Siemens, they had to comply with the customer’s policies. They also controlled internal Internet access using technology, and were rigorous in controlling what you had installed on your computer, and in installing antivirus software. Quite often, the executives were among those who got caught. They insisted that new employees attended training as a condition of employment.

Andy King, Exemplis Corp., added that they also have all new employees sign a technology use policy as a condition of employment, which is tied into the corporate strategy.

Thank you, Andy, for a very good presentation and handout. A copy can be found at: http://www.slideshare.net/occio .

See you on December 11, 2008 – 7:00 a.m. in the RJTCompuquest conference room at:
940 South Coast Dr., Suite 260, Costa Mesa, CA 92626.