Get Instant Access
to This Blueprint

Infrastructure Operations icon

Develop Infrastructure & Operations Policies and Procedures

Document what you need to document and forget the rest.

  • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
  • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.
  • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
  • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

Our Advice

Critical Insight

  • Document what you need to document and forget the rest. Always check to see if you can use a previously approved policy before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.

Impact and Result

  • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
  • Create effective policies that are reasonable, measurable, auditable, and enforceable.
  • Create and document procedures to support policy changes.

Develop Infrastructure & Operations Policies and Procedures Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should change your approach to developing Infrastructure & Operations policies and procedures, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Identify policy and procedure gaps

Create a prioritized action plan for documentation based on business need.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$46,324


Average $ Saved

42


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

State of Kansas Human Services

Guided Implementation

10/10

$42,249

23

City of Alexandria, VA

Guided Implementation

9/10

$50,399

60

The best part is that you have knowledgeable professionals on hand that provide good feedback and recommendations.

Westmoreland Mining LLC

Workshop

8/10

N/A

N/A

The best part was the enlightenment it brought to the team around the best practice standards and controls that are available to us through Info-Te... Read More


Develop Infrastructure & Operations Policies and Procedures

Document what you need to document and forget the rest.

Table of contents

Project Rationale

Project Outlines

  • Phase 1: Identify Policy and Procedure Gaps
  • Phase 2: Develop Policies
  • Phase 3: Document Effective Procedures

Bibliography

ANALYST PERSPECTIVE

Document what you need to document now and forget the rest.

"Most IT organizations struggle to create and maintain effective policies and procedures, despite known improvements to consistency, compliance, knowledge transfer, and transparency.

The numbers are staggering. Fully three-quarters of IT professionals believe their policies need improvement, and the same proportion of organizations don’t update procedures as required.

At the same time, organizations that over-document and under-document perform equally poorly on key measures such as policy quality and policy adherence. Take a practical, step-by-step approach that prioritizes the documentation you need now. Leave the rest for later."

(Andrew Sharp, Research Manager, Infrastructure & Operations Practice, Info-Tech Research Group)

Our understanding of the problem

This Research Is Designed For:

  • Infrastructure Managers
  • Chief Technology Officers
  • IT Security Managers

This Research Will Help You:

  • Address policy gaps
  • Develop effective procedures and procedure documentation to support policy compliance

This Research Will Also Assist:

  • Chief Information Officers
  • Enterprise Risk and Compliance Officers
  • Chief Human Resources Officers
  • Systems Administrators and Engineers

This Research Will Help Them:

  • Understand the importance of a coherent approach to policy development
  • Understand the importance of Infrastructure & Operations policies
  • Support Infrastructure & Operations policy development and enforcement

Info-Tech Best Practice

This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

Executive Summary

Situation

  • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
  • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

Complication

  • Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
  • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
  • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

Resolution

  • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
  • Create effective policies that are reasonable, measurable, auditable, and enforceable.
  • Create and document procedures to support policy changes.

Info-Tech Insight

  1. Document what you need to document and forget the rest.
    Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
  2. Support policies with documented procedures.
    Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

What are policies, procedures, and processes?

A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

Visualization of policies, procedures, and processes using pillars. Two separate structures, 'Policy A' and 'Policy B', are each held up by three pillars labelled 'Standards', 'Procedures', and 'Guidelines'. Two lines pass through the pillars of both structures and are each labelled 'Value-creating process'.

Document to improve governance and operational processes

Deliver value

Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

Simplify Training

Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

Maintain compliance

Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

Provide transparency

Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Document what you need to document – and forget the rest

Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

Pie chart with three sections labelled 'Too Many Policies and Procedures 14%', 'Adequate Policies and Procedures 37%', 'Insufficient Policies and Procedures 49%'

Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

Two bar charts labelled 'Policy Adherence' and 'Policy Quality' each with three bars representing 'Too Many Policies and Procedures', 'Insufficient Policies and Procedures', and 'Adequate Policies and Procedures'. The values shown are an average score out of 5. For Policy Adherence: Too Many is 2.4, Insufficient is 2.1, and Adequate is 3.2. For Policy Quality: Too Many is 2.9, Insufficient is 2.6, and Adequate is 4.1.

77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

Presenting: A COBIT-aligned policy suite

We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

Policy templates and the related aspects of Info-Tech's IT Management & Governance Framework

Info-Tech Best Practice

Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

Project outline

Phases

1. Identify policy and procedure gaps 2. Develop policies 3. Document effective procedures

Steps

  • Review and right-size the existing policy set
  • Create an action plan to address policy gaps
  • Modify policy templates and gather feedback
  • Implement, enforce, measure, and maintain new policies
  • Scope and outline procedures
  • Document and maintain procedures

Outcomes

Action list of policy and procedure gaps New or updated Infrastructure & Operations policies Procedure documentation

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

A small monochrome icon of a wrench and screwdriver creating an X.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

A small monochrome icon depicting a person in front of a blank slide.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Accelerate policy development with a Guided Implementation

Your trusted advisor is just a call away.

  • Identify Policy and Procedure Gaps (Calls 1-2)
    Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
  • Create and Review Policies (Calls 2-4)
    Modify and review policy templates with an Info-Tech analyst.
  • Create and Review Procedures (Calls 4-6)
    Workflow procedures, using templates wherever possible. Review documentation best practices.

Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

Develop Infrastructure & Operations Policies and Procedures

Phase 1

Identify Policy and Procedure Gaps

PHASE 1: Identify Policy and Procedure Gaps

Step 1.1: Review and right-size the existing policy set

This step will walk you through the following activities:

  • Identify gaps in your existing policy suite
  • Document challenges to core Infrastructure & Operations processes
  • Identify documentation that can close gaps
  • Prioritize your documentation effort

This step involves the following participants:

  • Infrastructure & Operations Manager
  • Infrastructure Supervisors

Results & Insights

  • Results: A review of the existing policy suite and identification of opportunities for improvement.
  • Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

Conduct a policy review

Associated Activity icon 1(a) 30 minutes per policy

You’ve got time to review your policy suite. Make the most of it.

  1. Start with organizational requirements.
    • What initiatives are on the go? What policies or procedures do you have a mandate to create?
  2. Weed out expired and dated policies.
    • Gather your existing policies. Identify when each one was published or last reviewed.
    • Decide whether to retire, merge, or update expired or obviously dated policy.
  3. Review policy statements.
    • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
  4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

But they just want one policy...

A review of your policy suite is good practice, especially when it hasn’t been done for a while. Why?
  • Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
  • Review the suite to validate that you’re addressing the most important challenges first.

Brainstorm improvements for core Infrastructure & Operations processes

Associated Activity icon 1(b) 1 hour

Supplement the list of gaps from your policy review with process challenges.

  1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
  2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
  3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
  4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

Business Continuity Management: Continue operation of critical business processes and IT services.

Change Management: Deliver technical changes in a controlled manner.

Configuration Management: Define and maintain relationships between technical components.

Problem Management: Identify incident root cause.

Operations Management: Coordinate operations.

Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

Service Desk: Respond to user requests and all incidents.

PHASE 1: Identify Policy and Procedure Gaps

Step 1.2: Create an action plan to address policy gaps

This step will walk you through the following activities:

  • Identify challenges and gaps that can be addressed via documentation
  • Prioritize high-value, high-risk gaps

This step involves the following participants:

  • Infrastructure & Operations Manager
  • Infrastructure Supervisors

Results & Insights

  • Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
  • Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

Support policies with procedures, standards, and guidelines

Use a working definition for each type of document.

Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

  • Standards: Prescriptive, uniform requirements.
  • Procedures: Specific, detailed, step-by-step instructions for completing a task.
  • Guidelines: Non-enforceable, recommended best practices.

Info-Tech Best Practice

Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

Answer the following questions to decide if governance documentation can help close gaps

Associated Activity icon 1(c) 30 minutes

Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

  1. What is the purpose of the documentation?
    Procedures support task completion. Policies set direction and manage organizational risk.
  2. Should it be enforceable?
    Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
  3. What is the scope?
    To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
  4. What’s the expected cadence for updates?
    Policies should be revisited and revised less frequently than procedures.

Info-Tech Best Practice

Reinvent the wheel? I don’t think so!

Always check to see if a gap can be addressed with existing tools before drafting a new policy

  • Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
  • Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
  • It may be simpler to amend an existing policy instead of creating a new one.

Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

Tackle high-value, high-risk gaps first

Associated Activity icon 1(d) 30 minutes

Prioritize your documentation effort.

  1. List each proposed piece of documentation on the board.
  2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
  3. Prioritize documentation that mitigates risks and maximizes benefits.
  4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

Example Scoring Scale

Score Business risk of missing documentation Business benefit of value of documentation

1

Low: Affects ad hoc activities or non-critical data. Low: Minimal impact.

2

Moderate: Impacts productivity or internal goodwill. Moderate: Required periodically; some cross-training opportunities.

3

High: Impacts revenue, safety, or external goodwill. High: Save time for common or ongoing processes; extensive improvement to training/knowledge transfer.

Info-Tech Insight

Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.5/10
Overall Impact

$46,324
Average $ Saved

42
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Identify policy and procedure gaps
  • Call 1: Assess current policies, operational challenges, and gaps.
  • Call 2: Mitigate significant risks.

Guided Implementation 2: Create and review policies
  • Call 1: Modify and review policy templates with an Info-Tech analyst.

Guided Implementation 3: Create and review procedures
  • Call 1: Workflow procedures, using templates wherever possible.
  • Call 2: Review documentation best practices.

Authors

Frank Trovato

Darin Stahl

Andrew Sharp

Contributors

  • Carole Fennelly, Owner, cFennelly Consulting
  • Marko Diepold, IT Audit Manager, audit2advise
  • Martin Andenmatten, Founder & Managing Director, Glenfis AG
  • Myles F. Suer, CIO Chat Facilitator, CIO.com/Dell Boomi
  • Peter Sheingold, Portfolio Manager, Cybersecurity, Homeland Security Center, The MITRE Corporation
  • Robert D. Austin, Professor, Ivey Business School
  • Ron Jones, Director of IT Infrastructure and Service Management, DATA Communications
  • Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations, University of Chicago
  • Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant, Point B
  • Tony J. Read, Senior Program/Project Lead & Interim IT Executive, Read & Associates

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019