Policies, procedures, and rules, properly enacted through a participatory and well-understood governance process, will become the primary means by to shape the future direction of IT in a large, loosely coupled organization.
You should understand the governance procedure that is used to create policies, have a good idea of the business context of your organization, have a good inventory of the processes and identities that exist in that context, and have an interoperability framework.
We distinguish between policies and standards. Standards stipulate specific levels of performance, specify certain goods or services, set quality requirements, or describe best practices. Policies are internally developed rules of conduct and behavior that are specific to the organization. Policies often refer to standards.
The Policy Stack#
Many technologists loathe to create policies, feeling that policies stifle creativity, impede productivity, and are nothing more than an autocratic attempt to control people. In fact, if designed correctly, policies enable action and productivity. You cannot create an IMA and reap the attendant benefits without policies. They are the heart of the architecture as well as the foundation on which effective identity management strategies are formed. Policies define appropriate behavior, specify the tools and processes that will be used, communicate a consensus, and provide a foundation for enforcement.
Many organizations have a smattering of security policies in place, and some of these touch on identity issues. In creating an identity management architecture causes the separating out the identity aspects of those policies and creating a holistic approach to identity on which to build not only security policies, but also other important aspects of the business.
IMA policy stack. #
The interoperability framework of standards undergirds identity policies. These policies include naming, passwords, encryption, authentication, privacy, access control, provisioning, directories, and federation, among others. In turn, the IMA supports activities important to the business such as software practices, security policies, software licensing, contracting, procurement, customer strategies, information protection, risk assessment, and partner interactions.
Attributes of a Good Identity Policy#
Since policies define appropriate behavior and form the basis for enforcement, they must have several important qualities.
Good policies should be realizable given existing technology and resources. Technical controls are not always possible. The reason for having subject-matter experts available as one of the IMA governance roles is to provide the needed expertise to ensure that the policy being developed is workable. As you get buy-in from various groups, many of the problems that would keep the policy from being implementable will show up during the review process.
Enforceability requires that the policy have clear guidelines on what to do and that enforcement procedures are clearly spelled out. For example, if enforcing a particular policy requires periodic physical audits of the workplace, then the procedure for conducting the audit and the timetable should be given by inclusion or reference in the policy. Penalties for non-compliance should also be included in the policy where applicable. Creating workable enforcement provisions will usually require having legal and human resource subject-matter experts review and comment on the policy.
The people who have to live by the policies should be able to understand them. Writing good policies requires walking a fine line between formal and informal language. Users often perceive formal language as "stuffy" or "officious." At the same time, informal language often lacks the precision necessary to clearly say what needs to be said. Regardless, the tone should be straightforward and clear, using short sentences and bulleted lists for ease in reading. Paragraphs (and subparagraphs) should be numbered so that they can be referenced easily. Policies should avoid third-person voice wherever possible, because it can obfuscate who is responsible for taking action. Most organizations will likely want to adopt a template as one of their first actions in creating policies so that subsequent policies share a common format.
Guided by the business#
Policies should be tied to business goals and represent a consensus. Nothing is more important than creating consensus among the influencers in your organization around each policy. People trying to "just get the work done" will circumvent policies that are too restrictive, not understood, or perceived as being impractical. One of the primary purposes of the IMA governance procedure and of building the business model is to create a process that will avoid policies that "don't work." Remember that no matter how important you may think a particular policy is, it will be a waste of time if most people do not voluntarily adopt it. Enforcement is not a tool to force compliance so much as a tool for ensuring uniformity and gathering feedback.