As a new CIO, I had an imperfect understanding of the role that policies, procedures, and rules played in managing a large IT organization and, more important, governing its interaction with the business. I underestimated their power and I neglected them for some time. As I became more comfortable in the role of CIO however, I realized that policies, procedures, and rules, properly enacted through a participatory and well-understood governance process, were the primary means by which I could shape the future direction of IT in a large, loosely coupled organization.

If you've completed the activities discussed in the preceding chapters, you'll understand the governance procedure that is used to create policies, have a good idea of the business context of your organization, have a good inventory of the processes and identities that exist in that context, and have an interoperability framework.

We distinguish between policies and standards. As we saw in the previous chapter, standards stipulate specific levels of performance, specify certain goods or services, set quality requirements, or describe best practices. Policies, on the other hand, are internally developed rules of conduct and behavior that are specific to the organization. Policies often refer to standards.

In this chapter, we'll discuss what policies are, how they can be written so as to be effective, how they can be implemented, and how they should be maintained.