Procedures

Closely related to policies are procedures. Where policies define "what," procedures define "how." A proper policy suite serves as the basis for creating procedures. Procedures outline specific actions to take in specific situations and give instructions for how to handle events and incidents—even those that are unanticipated.

Procedures are just as important as policies, because properly defined procedures lead to repeatable results. As we saw in Chapter 15, reaching higher levels in the identity management maturity model requires not only having procedures, but also ensuring they are consistently executed.

Procedures can be created proactively under authority granted in a policy. More often, though, procedures will spring up to fill a need without any specific authorization. That's natural and proper. What's important is that the IMA provide the context within which the procedures are created. Returning to our analogy of building codes, building codes don't have to authorize a contractor to create her own building procedures, but the procedures created by the best builders are done with the building code in mind.

One of the most important general procedures you can create is an incident-handling procedure. The incident-handling procedure is a preplanning document for common, foreseeable incidents. The procedure should define areas of responsibility, actions to take, and the escalation process. Other organizations within the enterprise may define specific incident-handling ...

Get Digital Identity now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.