It’s time to discuss the policies.  Policies are the written rules your organization follows in the cloud. I know no one wants to discuss writing down rules.  It’s tedious, it’s time consuming, and from now on you should love doing it!

Knowing the rules for your organization is the first step towards establishing standards.

Policies and the Governance Lifecycle

Now that you’ve tackled the tedium of identifying the policies and defining requirements that govern your cloud infrastructures, it’s time to create the policies.  This next step in the governance lifecycle establishes the list of policies and rules which your organization or department should strive to meet.  Whilst 100% compliance is the end goal, the beginning of this is to simply make your environment and resources within the cloud easy to identify and build.

It is time to create your policies so you can begin to look at ways to evaluate your compliance.

Most IT organizations have simple policies, but these policies seldom if ever traverse locations.  When they do, they are typically modified to suit the needs of the admin or admin team in control of those specific resources or sites. 

Common Policies

So, let’s look at the most common rules and policies that Stratum Technology Management tries to identify on each engagement:

  1. What is your naming convention?
    • This is simple, but the lack of a naming convention can easily make cloud deployments very difficult and very messy.  This leads to frustration with the cloud, and can even make some entities give up on the path to cloud adoption.
  2. What are the roles within your organization?
    • What are the clear-cut delineations of responsibility within your IT organization regarding cloud access? This should be clear and concise, but without single points of failure.
  3. What steps are you taking to manage network access and identify network resources?
    • Do you have a defined network architecture for the cloud?  What are your CIDR (IP address) ranges? How is this environment going to be secured and accessed?
  4. What if any are your security baselines for servers and network security?
    • There are tools like SVT, and penetration tests you can run, but gathering a minimal list of requirements and rules as a starting point is highly suggested.

These 4 questions are just the tip of the iceberg.  The general rule of thumb to follow here is that your policies should be written down so that they begin to define the procedures that all within the organization uses to create cloud resources.

Links to additional parts of the Governance Lifecycle:
Part 1: Where to Start
Part 2: Regulations – It’s the Law!
Part 3: Requirements – Your Benchmark for Success.
Part 4: Policies – Know the Rules
Part 5: Compliance and the Will to Succeed!

How Cloud is Taking IT Governance Out of the Stone Age Part 4: Policies – Know the Rules
Tagged on:     

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.