Assessing Identity Policies
When initially creating a policy, and again when they come up for review or modification, policies should be assessed. This process will be most effective when done as a semiformal procedure that is carried out in a routine way with a brief report to the reviewing body. Policies of any sort can be difficult to assess. There are several criteria you might want to use to review and assess your policies.
- Completeness
We would like policies to cover every situation that might come up, but that is not practical for reasons of cost and because we cannot foresee every possible problem. The best approach is to create a policy that seems complete and then add to it with discretion as problems arise. This is the approach used by the building trades to create building codes and it has served them well. The reviewing body should review any incident reports that bear on the policy and make recommendations about changes to the policy that would have prevented or lessened the severity of any related incident.
- Effectiveness
To gauge effectiveness, the enterprise must have some goal that they want the overall identity policy suite to accomplish and understand how each policy in the suite contributes to that goal.
- Cost
This can be difficult to assess, but it's worth at least estimating so that you can make a case for or against a policy or changes to an existing policy. The cost should estimate the cost of compliance with the policy and also the cost of not implementing ...
Get Digital Identity now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
