An Introduction to the MOF Policy SMF
Our previous four blog articles in this series explain the role of the Microsoft Operations Framework (MOF), service management functions (SMF’s) and introduce the Planning SMF which is the first step in implementing MOF within your business. If the topics introduced below don’t make sense or perhaps you feel they’re missing context then please refer to the following articles for background context and explanation.
Blog Article 1: What’s your ITIL IQ? Meet MOF.
Blog Article 2: The MOF Plan Phase
Blog Article 3: The MOF Business IT Alignment SMF
Blog Article 4: The MOF Reliability SMF
As a quick recap, the MOF IT service lifecycle encompasses all the activities and processes involved in managing an IT service: its conception, development, operation, maintenance, and ultimately its retirement. MOF organises these activities and processes into Service Management Functions (SMFs), which are grouped together in lifecycle phases. Each SMF is anchored within a lifecycle phase and contains a unique set of goals and outcomes supporting the objectives of that phase. The SMFs can be used as standalone sets of processes, but it is when SMFs are used together that they are most effective in ensuring service delivery at the desired quality and risk levels.
The Policy SMF belongs to the Plan Phase of the MOF IT service lifecycle. The following figure shows the place of the Policy SMF within the Plan Phase, as well as the location of the Plan Phase within the IT service lifecycle.
Why Use the Policy SMF?
The Policy SMF should be useful for anyone with responsibility for IT policy, which ultimately means everyone in the IT organisation. This is because policies are not only created and maintained, but they also need to be communicated, understood, and applied. This SMF provides sufficient context to understand the reasoning behind policies, the creation, validation and enforcement of policies, and how the policy management process communicates the policy and incorporates feedback about the policy. The purpose is to help the IT organisation remain in compliance with directives, such as GDPR. For the sake of clarity, these are the policies that address people and process, these are not machine based control polices such as Group Policy Objects.
The Policy SMF addresses how to:
- Determine areas requiring policy.
- Create policies.
- Validate policy.
- Publish policy.
- Enforce and evaluate policy.
- Review and maintain policy.
What purpose does policy serve in IT? What can be done so those responsible for implementing IT policy find company policies helpful and enforceable? This Policy SMF describes the process of translating and documenting organisational goals and values into written policies.
A policy explains what to do in a set of circumstances by providing necessary rules and requirements and by setting expectations about conduct. Policies help organisations clarify performance requirements, communicate management’s intent for how work should be done, and establish accountability and the foundation for compliance. Procedures break policies down into detailed steps that describe how work should be done and identify who should do what. To be effective, policies and procedures need to accurately reflect what the organisation wants done, they should clearly describe circumstances, rules, options, and activities in a way that is understandable and can be readily put into practice.
Although potentially wide ranging, policy generally centres on the following topics:
- Policy governance
- Partner and third-party relationships
- Knowledge management
- Appropriate use
Policy management includes writing policies, validating policies with stakeholders, and developing detailed procedures. It also helps determine how to implement and enforce policy and establishes the ongoing processes for policy improvement and maintenance.
Any organisation approaching policy management should be aware of the relationship between its policies and its internal control environment. When management considers a certain goal and its related risks, it must also consider whether to write a policy addressing that goal. The purpose is to communicate a clear standard of behavior to employees so that they know they will be expected to comply. Good policy management focuses policies on the right goals, ensures review and evaluation by the right people, and helps keep policies current.
Policy SMF Role Types
The primary Team SMF accountability that applies to the Policy SMF is the Management Accountability. The role types within that accountability and their primary activities within this SMF are displayed in the following table.
Table 1. Management Accountability and Its Attendant Role Types
|Role Type||Responsibilities||Role in this SMF|
|IT Executive Officer||Approves the IT organisation’s policies
Approves policy content and the policy management process
|Ensures that policies support organisational goals and regulatory requirements
Validates that policies are well-understood and used
|IT Manager||Manages effectiveness of policy communication and enforcement||Communicates policies that are usable and enforceable|
|IT Policy Manager||Works with business, management, and legal resources to define policy requirements
Responsible for industry regulatory knowledge
Owns policy creation, publication, and maintenance
|Delivers policies that are effective, current, and applicable, that address business, regulatory, and industry requirements|
|Change Manager||Manages the activities of the change management process for the IT organisation||Creates an environment where changes can be made with the least amount of risk and impact to the organisation|
|Configuration Administrator||Tracks what’s changing and its impact
Tracks configuration items (CIs) and updates the Configuration Management System (CMS)
|Ensures an always known state|
Goals of Policy Management
Successful policy management should result in documented, up to date guidelines that address the desired actions and behaviours of an organisation. More specifically, it should ensure that:
- Policies accurately capture management’s intent concerning the behaviours of the organisation.
- Policies contain clear statements of rules, but their implementation is carried out through procedures and employee judgment.
- Policies are communicated consistently and effectively across the organisation.
- Policies are defined in ways that consider their eventual application and evaluation.
Table 2. Outcomes and Measures of the Policy SMF Goals
|Policy supports management objectives||Audits of policies indicate that they appropriately reflect management objectives.|
|Employees utilise policy||There are no audit issues related to activities defined in policies.|
|Regulatory compliance||All regulatory audits are passed with no deficiencies.|
|Organisational compliance||All compliance audits are passed with no deficiencies (for example, security, privacy, or standards of conduct).|
Table 3. Key Terms
|Availability management||The process of managing a service or application so that it is accessible when users need it. Availability is typically measured in percentage of uptime, downtime refers to periods of system unavailability.|
|Business continuity planning||The process for planning and practicing IT’s response to a disaster or disruptive event. These activities span the organisation, beyond just IT, continuity planning affects Finance, Operations, and Human Resources (HR) functions.|
|Capacity management||In the context of IT, capacity refers to the processing or performance capability of a service or system. Capacity management is the process used to ensure that current and future business IT needs are met in a cost-effective manner. This process is made up of three sub-processes, business, service, and resource capacity management.|
|IT service continuity management||The process of assessing and managing IT risks that can significantly affect the delivery of services to the business.|
How can I implement MOF?
Hopefully by now you’ll begin to understand the value that the Microsoft Operations Framework can bring to your business. The goals, outcomes and measures outlined above require many activities and considerations which form part of our day to day activities at Strategic IT Support. In fact, we’re experts in MOF and have even developed a unique ITIL IQ™ process that benchmarks a business’s current state, identifies their desired state and provides an action plan (called a Service Delivery Plan) that helps organisations of all sizes achieve their desired business outcomes. Most importantly, our unique ITIL IQ™ process begins with a Proactive Services Maturity Review (PSMR) which identifies a score (out of 100) that clearly communicates the current state of your businesses IT operational maturity. Armed with your ITIL IQ™ score, a non-IT professional such as a finance or procurement professional can concisely present to the IT Executive Officer the businesses current state, desired state, and ITIL IQ™ score with an action plan to improve the ITIL IQ™ score and thereby ensure that IT’s goals are aligned with the goals of the business and that both are progressing together. Once the IT Executive Officer has bought into the MOF concept we can help to develop an IT service strategy, IT service map, IT service portfolio and Service level agreements.
How can I implement better IT policies?
Simply get in touch to arrange a free Proactive Services Maturity Review and one of our MOF experts will conduct an interview with the IT Manager or IT Executive Officer within your business and provide an ITIL IQ™ score with which you can measure the performance of your IT function. Once you know your ITIL IQ™ score we can provide a Service Delivery Plan to help you improve it each month and measure and report progress back to you during a Monthly Service Review. And there we have it, an ITIL based solution to simply identify and measure the performance of your IT function. So, are you ready to start improving your IT policies?
The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation.