Last week, we talked about the importance of developing a unified IT policy, and putting that policy down in writing. With a bit of work and patience, you can make sure that other managers, department heads, and the executive team understand and support the policy decisions.
However, from time to time, you will receive requests that run counter to your policy, or at least pushes the boundaries of it. How should you handle these requests without having to say “no” all the time, but while maintaining the security and integrity of your network?
Understand the Request
When a manager or user comes to you with a request that at first seems counter to IT policy, it’s a good idea to ask, “What are they really asking for?” Is it an easier way to accomplish their work or an improved workflow? Is it an annoyance in their current toolset that needs to get cleared up?
Once you understand why the request is being made, then you can work with the requestor to find a solution that both conforms to the IT policy and solves the problem. In some cases, you already have a tool or solution that meets their needs, but they need some help implementing it. A bit of training and communication can go a long way toward making the requestor feel heard and understood.
Calculate the Support Costs
Maybe you have evaluated the request, and determined that an exception can be granted and the request accommodated. Before giving the OK, though, be sure to account for the ongoing and long-term costs of implementing an exception. Will it complicate a third-party audit of your systems? How often are updates and patches released, and how will you manage those? What would be the risk if a serious vulnerability were discovered in that software?
Once you’ve analyzed the total costs associated with the request, then you’ll have a clearer picture of whether the request can be accommodated or not, and what the TCO will end up being.
Identify the Policy Issues
If a mutually agreeable solution cannot be found, you’ll need to help the requestor understand why the policy is in place and why an exception cannot be granted. For example, would the request put you out of compliance with a regulation, such as HIPAA? Or would it open up another security vulnerability or attack vector?
If necessary, complete a full risk assessment, and use that to explain the issues to the requestor and management. When the requestor understands the reason for the policy and the issues with their request, it will go a long way toward making them feel better about being told “no”. And in the unlikely event that the issue has to be escalated to upper management, you’ll be able to present a clear picture for the decision making process.
In addition to having a good IT policy, you’ll need a good IT team who can work with you to implement the policy and provide excellent service to your organization. Our next few articles will dig into what’s involved in building a quality IT team.
Need help with building or implementing your IT policy? A managed service provider like E-N Computers can be exactly what you need. We help businesses in Virginia, Maryland, and Washington, D.C. to manage their IT needs in a way that helps their company grow. Contact us today!