Standard templates
The following template can be used as a base from which to build your own standards.
<DepartmentName> <FunctionName> Standards
Standards may be declared at the corporate or at the department level. Regardless, they are formal management artifacts, and should follow all corporate standards for logos, typesetting, colors, headers and footers, confidentiality notices and disclaimers.
In the standards document, each paragraph should be numbered, to facilitate discussion of standards, including identifying the specific standard for which a waiver is being requested. Even the paragraphs in the purpose, scope, and communication plan should be numbered so that they can be discussed with clarity.
1 Purpose
1.1 The purpose of this standard is to outline <insert department name, if applicable> <insert organization name, i.e. MyCompany> standards for <insert functional area and function name>
2 Scope
2.1 This policy applies to < Insert clear, direct description of who/what/where is covered by this policy (e.g. “all hardware within the data centers. It does not apply to third party hosted solutions or to Lan desktop hardware.”)>
3 Standards
List standards below using logical groupings. It is perfectly acceptable to refer to external artifacts such as spreadsheets of approved abbreviations to be used in database field names and images of company logos to be used in report headers, but any such artifacts must also be included in the document repository.
3.1 <Insert clear, direct statements outlining the standard using will/shall liberally throughout>.
3.1.1 <Use ordinal numbered bullets for outline levels when applicable>
3.1.2 <Use ordinal numbered bullets for outline levels when applicable>
3.2 <Example> Database Field Naming Conventions.
3.2.1 <Example> Pascal Case - Database table and field names in this environment should use Pascal case, where the first letter of each word is capitalized, with no spaces or underscores, i.e. TranStatus…
3.2.2 <Example>Database Field name Suffix –
3.2.2.1 <Example> All database fields which represent calendar dates should be named with a “Dt” suffix.
3.2.2.2 <Example> All database fields which represent currency amounts should be named with an “Amt” suffix and be declared as DECIMAL(20,2).
4 Implementation TimeLine and Effective Date
4.1 <insert “who or what”, i.e. “All MyCompany Applications,” “All MyCompany systems,” or “All MyCompany personnel”> shall be compliant with these standards by, <Insert Date>.
5 Questions, Feedback, and
5.1 Questions, concerns or complaints regarding these standards shall be submitted by email to the Standard owner listed at the end of this document. Submissions will be documented and tracked to disposition without reprisal.
5.2 Request for new standards or alterations to existing standards shall be submitted by email to the Standard owner listed at the end of this document. Explain who/how/when submissions will be acknowledged, reviewed, and accepted or rejected.
6 Waivers and Risk Acceptance
6.1 Any system or group not able to comply with these standards must have an approved Standard Waiver and Risk Acceptance Form on file in the <insert name of standards body> by the policy effective date.
6.1.1 The Standard Waiver and Risk Acceptance Form, <insert location>, includes a mandatory mitigation plan and instructions for submitting the form.
6.1.2 Explain escalation process if the submitter does not accept the decision of the standards body.
7 Compliance Management
7.1 Explain how compliance with the standard will be monitored. Explain who is responsible for monitoring compliance to standards, when that monitoring occurs, and where the results are recorded. Monitoring of compliance is an important requirement of a mature, continually improving governance process.
For example, “Before moving code from the development to the test environment, it must pass a code review by the team technical lead. Code review is automatically as part of the change management request process, and the results are discussed in the code review meeting on Tuesdays and Fridays.”
8 Non Compliance
8.1 What are the consequences of non-compliance? For example, “Any code which does not pass a code review cannot be moved to the test environment without an approved waiver.”
9 Communication Plan
9.1 How are these standards to be communicated? The <insert position title, not name> or their designee shall be responsible for determining what job roles, if any, must take specific training.
9.2 Will there be training available? Is that training mandatory? For what roles? Who is responsibility to ensure that all of the correct people are educated? How often should the training be repeated in order to stay current? The <insert position title, not name> or designee will develop requirements for any specific standards training deemed necessary, to be administered and tracked through <corporate education portal>.
10 Revision Cycle
10.1 How often should this standard be reviewed and updated? How are changes made and approved?
Process and role templates
Blank Process and Role Template Document
<Information System Name><Functional Area Name><Process Name>
1. Purpose:
The purpose of this procedure is to <insert clear description of WHAT the procedure is intended to describe (e.g., outline specific steps to create accounts for X application)>.
This process and its roles support the <list of names and locations of corporate-wide policy documents that this process implements. This should never be an empty list.>
This process supports the <names and locations of applicable standards. These are often department-specific, which is fine as long as each department standard is documented and complies with the overarching corporate policy>
2. Scope:
This Process applies to <list clear, direct description of who/what/where is addressed by this policy (e.g. all MyCompany employees). >
3. Process:
< Insert the specific steps necessary to execute the purpose listed in section 1.0. This should be sufficiently detailed to enable a new employee to successfully execute the procedure with limited guidance/oversight>
<make sure to note if any sections are optional. When these process and role documents are initially captured, they should be reviewed by the enterprise governance board. You should expect that there are some gaps. These should be identified, and feedback returned to the authors of the document, along with a timeline for remediation.>
3.1. Roles and Responsibilities
<Insert your RACI Matrix here, showing all roles for each step in the process. The Process flow in section 3.3 will only show roles for those responsible for actually performing the work.>
3.2. Process Location
<Describe the location within your organization (not the geographic location) that is subject to this document.>
3.3. Process Flow
<This is the bulk of the document. Begin with a flowchart showing all the process steps, separated into swimlanes representing each responsible role. After that overview, being again describing each process step in detail. Explain how each process step works, how the process is approved or rejected and how the process step transitions to another step of the process.>
3.4. Process Timeline and Service Level Agreements
<Describe any specific timelines or service levels. Remember that service levels are not always related to time. They may be related to quantity, quality, etc. Spell out the nature of the process goals, including how they are measured, where the measurements are stored, who is responsible for taking the measurements, who is responsible for reviewing them. Some measurements are contractual, and should be integrated with the contract management function.>
3.5. Process Controls
3.5.1. Management Oversight
<In addition to the roles responsible for each step of the process, there is usually an executive responsible for the overall process. How is this manager kept abreast of the overall state of the process. This may also include reporting to the project management office.>
3.5.2. Exception/Waiver process
<How does one request a waiver or exception to the process? How is it granted, and by whom? Where are exceptions stored? What is the escalation process if the requester disagrees with the ruling on the request?>
4.0 Procedure Information
