Information management IT policy is a management process that governs accountability for the structure and design, storage, movement, security, quality, delivery and usage of information required for management and business intelligence purposes.

What governs accountability?

Policies, standards and best practices are used within an organization to provide information management direction.

What is information management IT policy?

We usually think of policy statements as something created by the government.  Fiscal policy comes to mind but there are varieties of other policies that help dictate how we should operate within a specific country or state or province. 

Companies also have policies, which state how they want to conduct business. 

Think of companies who have a “30-day no question return policy". This policy lets customers know how they can expect to do business.  Now the important part.  Everyone who might be involved with the policy also has to know about it. 

Imagine you call customer service, ask for a refund, and are told, “Sorry, we don't accept returns”.  Well that's certainly going to result in a second set of calls to customer service and is guaranteed to ensure customer dissatisfaction

A good information management IT policy needs to spell out certain key things:

• Purpose, lets everyone know what the policy covers;
• Effective date—specifies the date the policy started;
• Application lets everyone know who is expected to follow the policy; (The policy may not apply to everyone in the organization)
• Background or context provides more information as to why the policy is needed. Depending on the organization this could discuss things like “risks addressed";
• Definitions provides clearer definitions for any terms and concepts found in policy;
• Related policies;
• Related standards if any;
• Policy objectives should lists specific objectives and expected results. In other words, what the company hopes to achieve with this policy.
• Policy statements in terms of “customer services shall accept all customer returns, without question, within thirty days of the original purchase";
• Accountability should specify the specific responsibilities of people concerned with the policy;
• Consequences should specify what will happen in the policy is not followed. This could spell out disciplinary actions for failure to adhere to the policy; and
• Review cycle specifies how frequently the policy will be reviewed
  

Information management IT policy, standards and best practices checklist

 
Information management IT policy should be included in IT policy
Information management best practices should include information management and business

Structure and Design Standards

Data model standards and best practices for structure and design should specify naming standards and best practices for:

Data Modeling Standards
Conceptual data model
Enterprise data model
Entity relationship diagrams
Logical data model naming standard
Physical data model naming standard
Data model naming standards
Data model repository standards
Data modeling best practices
Domain naming standards
Class list naming standard

Data Storage
Database management policy should specify how database operations will function within the organization including:

• How frequently data  should be “backed up”
• What off-site storage should be utilized; and
• Where off-site storage is located

Data base management standard should address data storage and data standards
Data warehouse standards and best practices should be established

Data Movement
Data movement best practices should be  documented and communicated to project teams. These should include:
Master data management best practices; and
Data movement (ETL) repository folder naming standards.

Data Security

Information security policy should specify how data and information will be protected from authorized access. The data security policy should specify how to:

 Build and Maintain a  Secure Network; including

Install and maintain a firewall configuration to protect cardholder data

Protect Customer Data, including

Protect Stored Customer Data; and
Encrypt transmission of customer  data across open, public networks

Maintain a Vulnerability Management Program, including

Using and regularly updating anti-virus software or programs
Developing and maintaining secure systems and applications


Implement Strong access Control Measures, including

Restricting  access to customer sensitive data by business “need to know”.
Assigning a unique id to each person with computer access.
Restricting physical access to cardholder data.

Regularly Monitor and test Networks, including

Tracking and monitor all access to network resources and customer sensitive data.
Regularly test security systems and processes.
Maintain an Information Security Policy that addresses information security for employees and contractors.
Data Security procedures should specify procedures for changing server configurations, user passwords and user access privileges.
Information protection and business continuity management policy should specify how the business would continue to operate in the event of a disaster. 
The disaster recovery policy specifies the procedures and processes required to recover data in the event of a disaster.
Security testing guidelines should be included in the project management framework

Metadata management

Meta data management policy should specify internal requirements for gathering, maintaining and providing metadata and Meta data naming standards
A Meta data management standard should be developed specifying roles and responsibilities and processes for maintaining metadata.

Data quality
Data quality policy, including data quality management policy, data quality standards and data quality guidelines should be established
A software-testing standard should be included in the project management framework

Project Management

A project management methodology or software development policy  should be developed specifying  how information management and business intelligence systems will be developed, tested and moved into production.
Project management standards and best practice in project management should be documented.
Information management specific documentation standards and project management templates should be developed
Human resources policies and human resource management policies should be developed to address information management specifics
Human resources policies should address the use of contract employee’s, consulting firms and outsource development.

Business  Intelligence

A metrics management policy should be developed specifying how metrics will be maintained to report information on the quality of data stored within various computer systems.
A corporate metrics management policy should be developed specifying how metrics will be defined for business intelligence purposes and who is possible for maintaining metric classification.
Business intelligence best practices for reporting should be documented

Change Management

Change management policies should be included in change it management policy
A change management policy and guide should specify how change requests  will be developed, tested and moved into production.
A release management policy should be created.
Release management standards should be developed to include roles and responsibilities and testing requirements.
A configuration management policy or standard available should be created

Summary...

Policies, standards, best practices and management plans are required to govern accountability for information management—Information management IT policy forms the basis for a successful information management discipline.