0

Policies are the high-level statement from Senior Management. It's a philosophy for the management to be guided by, and management has the direction to plan, build, run and monitor the activities to achieve the enterprise objectives from the policies.

Is it possible to judge/assign accountability on the policy level?

My company hired a consultant who made the statement, and I'm looking for perspectives that will justify it.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Reasad Amin
  • 13
  • 2
  • Ownership of what? The Policy or the activities dictated by the policy? Your question doesn't make that clear. And what do you mean by "ownership"? Do you mean a named person? or a group? – schroeder Apr 24 '21 at 11:26
  • I believe everyone in the organisation expected to abide by the policies derived(applicable). Everyone is equally accountable to ensure the actions are made as per the policies. Is your question about the enforcements required ? – Vijayabharathi Apr 24 '21 at 11:26
  • @schroeder 1.Ownership of policies, say "Access Control Policy", "Password Policy" etc. 2. so far I know that, activities/procedure should be under a process, which will have an owner who will be accountable to comply with the policy. But here our consultant said that policies need to have ownership. 3. At policy level I'm not actually sure how ownership works, thats why I asked the question. 4. Policies come from the Senior management, no one can make accountable the Senior Management if some unauthorised person gets in to the system by violating the access control policy, right? – Reasad Amin Apr 24 '21 at 11:54

1 Answers1

0

Even after your comments, I'm still not sure what you are asking, but I will attempt to provide an answer.

High-level policies are set and "owned" by Senior Management.

Policies exist to assure that business objectives are met. Risks can affect those objectives. There are then risk owners to ensure that there is someone ultimately accountable and resourced to manage those risks.

But there are multiple levels of policies that can apply at different layers of the business. The policies written to be closely tied to the activities that mitigate risks tend to be owned by the risk owner.

So, it is possible to have policies that have a single, named owner, and others that are "owned" by Senior Management. Policies that set a philosophy are high-level policies and are difficult to assign accountability to.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    I think you are right, and it clears my confusion. There are multi levels of policies, departments could also define polices and they need to be consistent with the higher ones. Lower level policies are focused on operational level, so those include activities/procedures and processes, and surely those need to have the ownership & accountability. Thats a good discussion, thanks. – Reasad Amin Apr 24 '21 at 13:29