The DIRECTION Methodology
To assist clients develop governance for data privacy, security, as well as business continuity management programs, CIMA's engagement teams follows our structured DIRECTION Methodology for policy and standards development. To help accelerate the development of a policy and standards document set, we have developed templates that we license and customize for each client for rapid development.
One of the key things to note before going into this type of activity supported by a consultancy or doing it in a D.I.Y. fashion is that when building a structured program, many things serve as input into other development activity. Our methodology is based on years of experience and proven success. When we developed our methodology we considered this simple model we use for process and procedural development as well:
A key design feature of our methodology incorporates a hierarchical model where we introduce the ability to have various approving authorities at different level of the governance framework, as well as diversifying of documentation authors as illustrated in the adjacent diagram.
The steps below provide a generalized overview of our methodology. The development of processes and procedures as part of an engagement are optional activities, and can be done wholly internal or outsourced based on the skill-sets and availability of internal resources. Notwithstanding this, it should be understood that each level of the hierarchy mandates the next, in a completely integrated approach.
Policy and Standards Development
Phase 1 - of our methodology, we prepare a program charter document, which provides executive leadership authorization and mandates the program be developed and maintained. For ISO based programs this is an invaluable document as it provides foundational audit evidence of leadership support, and mandatory requirement for organizational certification.
Additionally, the charter establishes high-level roles and responsibilities across the organization for the program.
Legal and regulatory review
Phase 2 is focused on the mandatory ISO Management System requirement of conducting a legal and regulatory review to ensure a qualified understanding of all organizational obligations are incorporated into the organization's policy and standards. The activity is similarly mandated under NIST-CSF.
A key concept to understand here is that any related obligation of the organization must be incorporated into its governance to ensure operations teams are aware of the need and it has been mandated by its leadership. Operations line managers and their staff can not be expected to implement and maintain a control, where they is not aware of the organization's obligation or expectation to do so.
Upon completion of the review, CIMA's team will generate a control catalog memorializing all requirements from legal and regulatory mandates.
Note:clients may elect to forego this activity if they have already performed it internally, or simply need to accelerate for a rapid development approach to meet a client imposed deadline.
Phase 3 - during this phase, the control catalog is then organized into a structured model lending itself to become the blueprint for the building blocks of the policy and standards. The draft framework is provided for client review and amended as deemed appropriate.
Phase 4 - our experts write a professional high-quality policy based on the type of program we are working with the client on. The policy set the stage for and mandates all of the control activity to be integrated into the policy standards, as well as setting the stage for management oversight, compliance monitoring and a variety of other critical areas.
Policy Standards Development
Phase 5 - In this phase, leveraging the governance framework CIMA consultants will work with our client team to develop a series technology agnostics policy standards, which incorporate the controls mandated in its legal and regulatory analysis. Controls are grouped in themes, to provide a single source of direction on given topical areas. Policy standards are intended to be an amplification of the policy, articulating specific expectations of management.
Within policy standards, it will mandate various processes and procedures which will be required to satisfy the general management and control of topical areas. Where applicable, it may also require the development of forms, guide and other tools to assist the document's audience and stakeholders to comply.
Development of Processes, Operational Procedures, Technical Directives and Technical Configuration Guides
Phase 6 - it is important to note, many Policy & Standards Development engagements end at the completion of Phase 5. Phase 6 can be incorporated as part of one major effort, or as an follow-on engagement. Typically, it is done in the latter fashion. The activity within Phase 6 focuses on the development of:
A. processes mandated under the policy standards;
B. operational procedures mandated within a processes, as well as general use and daily management of related technologies;
C. the development of technical directives, which are intended to serve as an clarity on how policy standards shall be achieved within a given technology environment; and
D. the development of technical configuration guides articulating precisely what feature within the native technology environment or add-on tool will be used and how to configure it to meet the organization's expectations. This level of granularity affords the organization a baseline technical standard on how technical will be configured to meet governance expectations. The residual value can be recognized when new employees or contractors join your team, and on day one with this guidance, will be able to build server or other technology environments in a consistent manner. It also can be leveraged following a organization being hacked as a baseline reference tool to assess security changes in the environment to understand what changes the hacker may have done, allowing your teams to bring the environment back to a trusted state on an accelerated path.
For process and procedural development, we host facilitated workshops with our client's internal stakeholder community. Where desired this could also be done to include external stakeholders. Workshops are followed by drafting a flow of activity, identifying interrelated processes and procedures that need to be considered or subsequently assessed for impact, as well as supporting tools, etc. Where appropriate, CIMA consultants will leverage our model process templates for accelerated development effort. Drafts are reviewed by key client stakeholders and updated accordingly, until finalized.
For technical directives and configuration guides, we work collaboratively with your technical teams and in most cases simply as a facilitator, allowing them to be involved in the creation of the documents as much as desired. This development effort is typically performed in parallel with process and procedural development efforts, and in some cases, it is the technical directives that will mandate the need for yet other operational procedures.