Process (or Procedures)#
Closely related to policies are procedures. Where policies define "what," procedures define "how." A proper policy suite serves as the basis for creating procedures. Procedures outline specific actions to take in specific situations and give instructions for how to handle events and incidents—even those that are unanticipated.
Procedures are just as important as policies, because properly defined procedures lead to repeatable results. Reaching higher levels in the identity management maturity model requires not only having procedures, but also ensuring they are consistently executed.
Procedures can be created proactively under authority granted in a policy. More often, though, procedures will spring up to fill a need without any specific authorization. That's natural and proper. What's important is that the IMA provide the context within which the procedures are created. Returning to our analogy of building codes, building codes don't have to authorize a contractor to create her own building procedures, but the procedures created by the best builders are done with the building code in mind.
One of the most important general procedures you can create is an incident-handling procedure. The incident-handling procedure is a pre-planning document for common, foreseeable incidents. The procedure should define areas of responsibility, actions to take, and the escalation process. Other organizations within the enterprise may define specific incident-handling procedures for their areas of responsibility, but they should be done under the umbrella of a general incident-handling procedure so that nothing falls through the cracks.