Corporate Governance of IT

SAMPLE IT Policy

Purpose:

The purpose of this IT Policy is to provide a high level statement of management’s expectations for information technology. This is a short, directive and enabling document. It provides a framework for process definition and implementation and should be consistent with business and technology strategies of the enterprise. (It does not contain detailed, prescriptive information. These belong in standards, procedures, guidelines and terms & conditions of employment.)

Objective:

The objective of information technology policy is to direct how to choose a course of action in a process when there is often many factors to consider. IT policies serve to customise process execution by communicate organisational preferences and the entitlements of stakeholders. The policies described in this document record the authorised organisational preferences of the executive managers relating to information technology.

The Board has approved the is Information Technology Policy.

Policy

The purpose of this Policy is to direct the use of information technology at . . . . . . . . . . . . . . . .

It is the policy of . . . . . . . . . . . . . . . that:

I. Solutions are to be Open Source and based on Open Architecture

The preference will be to use open source technology that is based on open standards.

II. Process requirements are to be based on the CobiT / ITIL / ISO 12207 framework

CobiT / ITIL / ISO 12207, is the internationally recognized and widely adopted IT management framework, is the preferred source of process related guidance.

III. Procurement of IT Resources is to be based on the Technological Infrastructure Plan

Only IT resources, related services, support and training related to the items listed in the Technological Infrastructure Plan may be procured.

IV. Normal working hours for Service Continuity is from  ...... am to  .... pm, ...... days per week

No service is available from the IT Section outside of normal working hours.

V. The IT Section only supports components identified in the Technological Infrastructure Plan

The IT Section is not required to support any IT component not included in the Technological Infrastructure plan and not before the planned implementation date.

VI. All service requests and incidents are to be logged through the IT Section’s Service Desk

Every service request and incident shall be prioritized. Issues affecting only one person will be assigned a response time of 24 hours.

VII.  Data Ownership

The executive managers are the "responsible parties" charged with responsibility to maintain their business unit’s data integrity and to protect personal information under their control.

VIII. A relatively low level of Information Security is acceptable

This organisation's information is available to the general public and therefore does not require a high-level of security. However certain categories of information, all personal information and the information necessary to configure the organisation’s systems and ensure continuity of service, must be secured in accordance with the Information Security policy.

IX. Sourcing

Purchasing generally available, complete IT solutions will be preferred over developing bespoke (i.e. highly customized) IT solutions.

X. Deviation from Policy

Any deviation from this policy must be reported to the Board.

XI. Change Control

The review and amending of the IT Policy is the responsibility of the CEO in conjunction with the Chairperson of the Board.

Standards will be produced to support this IT policy.

The role and responsibility for managing information technology will be performed by the CIO¹. He/she has direct responsibility for maintaining this policy and providing advice and guidance on its implementation.

All business unit managers are directly responsible for implementing the IT Policy within their business areas, and for adherence by their staff.

It is the responsibility of each employee to adhere to the IT Policy.

Signed: ____________________________________

Title: ______________________________________ Date: _________

1. This may be a part or full-time role for the allocated person.