![Abstract—Policy management in organizations became rising
issue in the last decade. It’s because of today’s regulatory
requirements in the organizations. To manage policies in large
organizations is an imperative work. However, major challenges
facing organizations in the last decade is managing all the policies in
the organization and making them an active documents rather than
simple (inactive) documents stored in computer hard drive or on a
shelf. Because of this challenge, organizations need policy
management program. This policy management program can be
either manual or automated. This paper presents suggestions towards
managing policies in organizations. As well as possible policy
management solution or program to be utilized, manual or automated.
The research first examines the models and frameworks used for
managing policies from various perspectives in the literature of the
research area/domain. At the end of this paper, a policy management
framework is proposed for managing enterprise policies effectively
and in a simplified manner.
Keywords—Policy, policy management, policy management
program, policy repository.
I. INTRODUCTION
OLICY can be defined as plan of action used by an
organization to give instructions from its senior
management to those who make decisions to take actions,
and perform other duties on behalf of the organization’s
context [1]. Major challenge facing organizations in the last
decade is how to distribute all their policies to target
employees. And to keep them read, understand and comply
with all policies in the organization [3]. Because of this
challenge, there is a strong demand in organizations for some
kind of policy management solution. This policy management
solution can be either manual or automated [3]. Policy
management in the context of this paper is the conversion of
policies into practical and enforceable [3] documents, rather
than simple documents in which employees neglect or don’t
read it, that can be implemented in the organization as whole.
However, most organizations manage their policies manually.
Weisman quoted “Developing a manual policy management
solution is creating a set of procedures that reflects the purpose
of the policy. Keep the policies as high level as possible; the
procedures and guidelines will provide the details necessary
D. A. Ga’al is with the Information Systems Department, Universiti
Teknologi Malaysia, Johor, Malaysia (daaha_isme@yahoo.com).
W. Zainal Abidin, is an associate professor at the Advanced Informatics
School, Universiti Teknologi Malaysia, International Campus, 54100, Kuala
Lumpur, Malaysia (wardah@utm.my).
for day-to-day operations” [3]. Managing policies manually is
good for small organizations, but large organizations should
have software solutions to manage their policies in a way that
is quick, online and reliable.
II. POLICY
Policy can be defined as plan of action used by an
organization to give instructions from its management to those
who perform day to day duties on behalf of the organization
context [1]. It can also be defined as organizational rules and
regulations that define acceptable and unacceptable behavior
within the organization [1]. Policy is typically written
document that defines a plan or course of action to guide
decisions and achieve rational outcome(s) in organization [2].
III. POLICY MANAGEMENT
In the last decade, policy management became an
imperative issue in organizations, because of modern
regulatory requirements. Therefore, policy management
entails, managing the life cycle of the policy from drafting
until archival. According to [4], there are five key stages of
policy management:
• Establishing policy requirements - Investigating all the
“relevant law, regulatory requirements, guidelines and
best practice” [4] which is necessary to identify the
business requirements.
• Drafting policy – is to come up with statements, those
sounds fine in legality, in simple English [4].
• Policy deployment - Sharing and distributing policies
around the organization.
• Testing understanding & affirming acceptance - To
make sure that employees understand the policy and
ready to abide by it.
• Auditing policy penetration - Reviewing policy and
generating report to the [4] management on
compliance status.
IV. POLICY REPOSITORY
Another important issue which was examined in this
research is policy repository. It is a shared database where all
policy documents are stored for ease of access. In large
organizations, a huge number of policy documents are used;
and those documents need management solution. Thus,
management starts from storing them in a single database
where everyone in the organization is able to access them any
Policy Management Framework for Managing
Enterprise Policies
Dahir A. Ga’al and Wardah Zainal Abidin
P
World Academy of Science, Engineering and Technology 70 2010
136](https://image.slidesharecdn.com/policymanagementframeworkformanaging-211009125916/85/Policy-management-framework_for_managing-1-320.jpg)
![time. Policy repository is the main important component of
policy management program. However, this component will be
used as part of the proposed policy management framework.
V.POLICY MANAGEMENT PROGRAM
To implement policy management across the organization, a
policy management program should be developed. As
discussed earlier, policy can be managed manually or
automated way. Based on this, there are two approaches for
developing policy management program [3]; manual or
automated. For the manual, there is human involvement to
manage the policies. For the automated approach, software
tools are used instead [3]. The manual way of policy
management program is good for small organizations because
of their limited number of policies which people can manage
easily. But large organizations need software solution to
manage the large number of policies across the organization.
VI. POLICY MANAGEMENT MODELS
In order to propose a policy management framework,
several existing related frameworks were studied and the
IETF/DMTF Policy Framework is deemed most suitable to be
investigated in depth.
VII. THE IETF/DMTF POLICY FRAMEWORK
The IETF/DMTF policy framework is introduced by IETF
(Internet Engineering Task Force) and DMTF (Distributed
Management Task Force) and is shown in figure 1. This
framework is being used as the basis for the efforts of
designing a policy management framework. It consists of four
components namely: policy management tool, policy
repository, policy decision point and policy enforcement point.
Fig. 1 The IETF/DMTF policy framework [5]
The policy management tool is a graphical user interface
where the users or policy readers can use it to access the
organization’s policies. This tool provides the mechanism to
retrieve policies from the policy repository. Within this tool
the management users can also draft new policies, review
existing ones within specified time frame, or simply view
policies that are stored in the policy repository. The policy
repository is used for the storage of policies, after they have
been drafted and approved by the approvers of that policy by
using policy management tool. It is a database, which is
connected to the Policy Management Tool for the storage of
the policies. Lastly, Policy Decision Point is the final point
where management users can approve newly drafted policies
and allow them to be accessed by the normal users or staff.
VIII.UNIVERSITI TEKNOLOGI MALAYSIA: CASE STUDY
Universiti Teknologi Malaysia (UTM) is one of Malaysia’s
leading universities in engineering, science and technology. It
is located in Johor Bahru, the southern city of Malaysia [6]. It
is famous [6] for being at the forefront of engineering and
Technological knowledge in Malaysia. Interest in policy
management began when the University’s legal affairs
department decided to have a software tool to use for
managing policy documents all over UTM because of the
existing huge policy documents. The department needs to
make all UTM policies in digital format, rather than printed
documents kept on shelves, to ease access. To digitize UTM
policies, they need to have web base policy management tool.
This will consist of policy repository, for the storage of all
policies, and policy management for retrieval, drafting,
reviewing and storing policies. The legal department also
needs to keep all staffs updated on the current and old policies
by providing online policy management tool. This tool can
give them access to all policies online which is very easy for
them to read understand and to keep them updated on new
policies. After the problems have been identified, an interview
was conducted with top officers of the legal department in
UTM to get deep understanding on the state of the problem.
The result from the interview showed that there is a need for
policy management software to use as a solution for the
problem. However, policy management framework was
proposed as a solution for the problem regarding on how to
make all policies online and how to keep staff to read and
understand organization’s policies.
IX. PROPOSED POLICY MANAGEMENT FRAMEWORK
As discussed above, IETF/DMTF policy framework is used
as the basic concept in order to design policy management
framework as a solution for the policy management need in
organizations. The proposed framework will give
organizations policy management solution and is shown in
figure 2.
Policy
Repository
Policy management Tool
Policy decision Point
Policy enforcement point
World Academy of Science, Engineering and Technology 70 2010
137](https://image.slidesharecdn.com/policymanagementframeworkformanaging-211009125916/85/Policy-management-framework_for_managing-2-320.jpg)
![TABLE I SUMMARY OF PROPOSED POLICY MANAGEMENT FRAMEWORK DESCRIPTION
Policy Approver, Readers and
Owner
These three components are the users of the policy management
framework. Policy approver is the person who approves the policy after it
has been drafted by the policy creator or owner. Policy readers are the
target groups in the organization those required to read the policy. Lastly,
policy owner is the person(s) drafted the policy or created it.
Browser This is the first component that helps users to access the policy
management tool by using web browser.
Policy Management Tool The second component is the Policy management tool. This component
consists of three sub components which are User Interface Manager, Policy
Editor and Policy Decision Point.
User Interface Manager The User Interface Manager is the front end of the policy management
tool where the users may be able to view the existing policies.
Policy Editor The second component of policy management tool is the policy editor.
This component allows the user to view, draft and review the policies and
save it to the repository.
Policy Decision Point The final component of the policy management tool is the Policy
decision Point where the administrator or top level management users can
release the newly approved policies and allow them to be accessed by the
target staff.
Policy Approvers The third component of the proposed model is the Policy Approvers,
where the administrator or top level management users can approve the
newly drafted policies so the readers will be able to view.
X.CONCLUSION
There is not a clear and complete definition of policy
management in the past literature. However, this paper
presented what is meant by policy management according to
the researcher’s view. And also IETF/DMTF policy
framework is used as basic idea in designing policy
management framework, which is the main result of the paper.
This proposed policy management framework was designed to
help large organizations to manage their policies and keep
their employees read and understand all policies across the
organization. In the near future, to implement the framework
presented in the paper, a policy management tool is needed to
develop. The tool can be used to manage all policies in
organization, in order to proof the concept presented in this
paper. This policy management tool will be a website that has
all policy management need across the organization.
ACKNOWLEDGMENT
The authors would like to thank University Teknologi
Malaysia (UTM) for their sincere help and cooperation in
making this paper successful. The authors are also indebted to
the Ministry of Science, Technology and Innovation (MOSTI)
of Malaysia, under the FRGS (Fundamental Research Grant
Scheme) (Vot: 78654). This research is still ongoing.
REFERENCES
[1] Micheal E. Whithman and Herpert J. Mattord. (2005). Principles of
Information Security. (2nd Ed). Canada: Thomson Learning.
[2] Wikipedia. Policy. http://en.wikipedia.org/wiki/Policy. (Last accessed
on April 30, 2010).
[3] Harris Weisman. (2006). Policy management: Manual vs. automated
tools. Information Security magazine.
[4] PolicyMatter - White Paper: the Freedom of Information Act - Why
effective policy management is crucial. 05/01/2005 available:
http://www.policymatter.com/news/news050105/.
[5] Dinesh C. Verma & IBM Thomas J Watson Research Centre (2002).
Simplifying Network Administration Using Policy-Based Management.
IEEE Network, 02, 0890-8044.
[6] UTM. (2010). Introduction. http://www.utm.my/aboututm/about-
utm.html (accessed on: 19 May 2010).
Ga’al, Dahir Abdi (Mr.) received his B.sc. in Science in Information
Technology from Somali Institute of Management and Administration
Development (SIMAD), Mogadishu, Somalia in 2007 and M.sc. in IT
Management from University Technology Malaysia (UTM), Malaysia in
2009. Currently he is a PhD student in Faculty of Computer & Information
Sciences, University Technology Petronas (UTP), Malaysia.
Wardah Zainal Abidin (Assoc. Prof) is an associate professor at
the Advanced Informatics School, UTM. She obtained her first degree at
Universiti Kebangsaan Malaysia (UKM), in 1981, in Pharmacology. After
that she pursued her studies in Computer Science in Universiti Teknologi
Malaysia (UTM), first taking her Advanced Diploma and later Masters in
Computer Science. On 30th August 1984, her life as an academician at
UTM began and she has not looked back ever since. Computer Science
and later Information Technology have never ceased to amaze her although
her first degree was in biological sciences. Apart from teaching at the
Department, she had the opportunity to be involved with several consultancy
groups mostly involving government agencies and government-linked
companies since 1992.
World Academy of Science, Engineering and Technology 70 2010
139](https://image.slidesharecdn.com/policymanagementframeworkformanaging-211009125916/85/Policy-management-framework_for_managing-4-320.jpg)
Policy management framework_for_managing
- 1. Abstract—Policy management in organizations became rising issue in the last decade. It’s because of today’s regulatory requirements in the organizations. To manage policies in large organizations is an imperative work. However, major challenges facing organizations in the last decade is managing all the policies in the organization and making them an active documents rather than simple (inactive) documents stored in computer hard drive or on a shelf. Because of this challenge, organizations need policy management program. This policy management program can be either manual or automated. This paper presents suggestions towards managing policies in organizations. As well as possible policy management solution or program to be utilized, manual or automated. The research first examines the models and frameworks used for managing policies from various perspectives in the literature of the research area/domain. At the end of this paper, a policy management framework is proposed for managing enterprise policies effectively and in a simplified manner. Keywords—Policy, policy management, policy management program, policy repository. I. INTRODUCTION OLICY can be defined as plan of action used by an organization to give instructions from its senior management to those who make decisions to take actions, and perform other duties on behalf of the organization’s context [1]. Major challenge facing organizations in the last decade is how to distribute all their policies to target employees. And to keep them read, understand and comply with all policies in the organization [3]. Because of this challenge, there is a strong demand in organizations for some kind of policy management solution. This policy management solution can be either manual or automated [3]. Policy management in the context of this paper is the conversion of policies into practical and enforceable [3] documents, rather than simple documents in which employees neglect or don’t read it, that can be implemented in the organization as whole. However, most organizations manage their policies manually. Weisman quoted “Developing a manual policy management solution is creating a set of procedures that reflects the purpose of the policy. Keep the policies as high level as possible; the procedures and guidelines will provide the details necessary D. A. Ga’al is with the Information Systems Department, Universiti Teknologi Malaysia, Johor, Malaysia (daaha_isme@yahoo.com). W. Zainal Abidin, is an associate professor at the Advanced Informatics School, Universiti Teknologi Malaysia, International Campus, 54100, Kuala Lumpur, Malaysia (wardah@utm.my). for day-to-day operations” [3]. Managing policies manually is good for small organizations, but large organizations should have software solutions to manage their policies in a way that is quick, online and reliable. II. POLICY Policy can be defined as plan of action used by an organization to give instructions from its management to those who perform day to day duties on behalf of the organization context [1]. It can also be defined as organizational rules and regulations that define acceptable and unacceptable behavior within the organization [1]. Policy is typically written document that defines a plan or course of action to guide decisions and achieve rational outcome(s) in organization [2]. III. POLICY MANAGEMENT In the last decade, policy management became an imperative issue in organizations, because of modern regulatory requirements. Therefore, policy management entails, managing the life cycle of the policy from drafting until archival. According to [4], there are five key stages of policy management: • Establishing policy requirements - Investigating all the “relevant law, regulatory requirements, guidelines and best practice” [4] which is necessary to identify the business requirements. • Drafting policy – is to come up with statements, those sounds fine in legality, in simple English [4]. • Policy deployment - Sharing and distributing policies around the organization. • Testing understanding & affirming acceptance - To make sure that employees understand the policy and ready to abide by it. • Auditing policy penetration - Reviewing policy and generating report to the [4] management on compliance status. IV. POLICY REPOSITORY Another important issue which was examined in this research is policy repository. It is a shared database where all policy documents are stored for ease of access. In large organizations, a huge number of policy documents are used; and those documents need management solution. Thus, management starts from storing them in a single database where everyone in the organization is able to access them any Policy Management Framework for Managing Enterprise Policies Dahir A. Ga’al and Wardah Zainal Abidin P World Academy of Science, Engineering and Technology 70 2010 136
- 2. time. Policy repository is the main important component of policy management program. However, this component will be used as part of the proposed policy management framework. V.POLICY MANAGEMENT PROGRAM To implement policy management across the organization, a policy management program should be developed. As discussed earlier, policy can be managed manually or automated way. Based on this, there are two approaches for developing policy management program [3]; manual or automated. For the manual, there is human involvement to manage the policies. For the automated approach, software tools are used instead [3]. The manual way of policy management program is good for small organizations because of their limited number of policies which people can manage easily. But large organizations need software solution to manage the large number of policies across the organization. VI. POLICY MANAGEMENT MODELS In order to propose a policy management framework, several existing related frameworks were studied and the IETF/DMTF Policy Framework is deemed most suitable to be investigated in depth. VII. THE IETF/DMTF POLICY FRAMEWORK The IETF/DMTF policy framework is introduced by IETF (Internet Engineering Task Force) and DMTF (Distributed Management Task Force) and is shown in figure 1. This framework is being used as the basis for the efforts of designing a policy management framework. It consists of four components namely: policy management tool, policy repository, policy decision point and policy enforcement point. Fig. 1 The IETF/DMTF policy framework [5] The policy management tool is a graphical user interface where the users or policy readers can use it to access the organization’s policies. This tool provides the mechanism to retrieve policies from the policy repository. Within this tool the management users can also draft new policies, review existing ones within specified time frame, or simply view policies that are stored in the policy repository. The policy repository is used for the storage of policies, after they have been drafted and approved by the approvers of that policy by using policy management tool. It is a database, which is connected to the Policy Management Tool for the storage of the policies. Lastly, Policy Decision Point is the final point where management users can approve newly drafted policies and allow them to be accessed by the normal users or staff. VIII.UNIVERSITI TEKNOLOGI MALAYSIA: CASE STUDY Universiti Teknologi Malaysia (UTM) is one of Malaysia’s leading universities in engineering, science and technology. It is located in Johor Bahru, the southern city of Malaysia [6]. It is famous [6] for being at the forefront of engineering and Technological knowledge in Malaysia. Interest in policy management began when the University’s legal affairs department decided to have a software tool to use for managing policy documents all over UTM because of the existing huge policy documents. The department needs to make all UTM policies in digital format, rather than printed documents kept on shelves, to ease access. To digitize UTM policies, they need to have web base policy management tool. This will consist of policy repository, for the storage of all policies, and policy management for retrieval, drafting, reviewing and storing policies. The legal department also needs to keep all staffs updated on the current and old policies by providing online policy management tool. This tool can give them access to all policies online which is very easy for them to read understand and to keep them updated on new policies. After the problems have been identified, an interview was conducted with top officers of the legal department in UTM to get deep understanding on the state of the problem. The result from the interview showed that there is a need for policy management software to use as a solution for the problem. However, policy management framework was proposed as a solution for the problem regarding on how to make all policies online and how to keep staff to read and understand organization’s policies. IX. PROPOSED POLICY MANAGEMENT FRAMEWORK As discussed above, IETF/DMTF policy framework is used as the basic concept in order to design policy management framework as a solution for the policy management need in organizations. The proposed framework will give organizations policy management solution and is shown in figure 2. Policy Repository Policy management Tool Policy decision Point Policy enforcement point World Academy of Science, Engineering and Technology 70 2010 137
- 3. Fig. 2 Proposed Policy management framework As shown in the above figure, the proposed framework consists of the following components: 1. Policy Reviewers 2. Policy Approver, Readers and Owner 3. Browser 4. Policy Management Tool a. User Interface Manager b. Policy Editor c. Policy Decision Point 5. Policy Approvers 6. Policy Repository Policy Repository Policy Reviewers Policy Readers Browser Policy Management Tool Policy Decision Point UI Manager Policy Editor Policy Approvers Retrieve Policies Draft / Review existing Policies Retrieve newly drafted Policies Approve Store approved policy Policy Owners World Academy of Science, Engineering and Technology 70 2010 138
- 4. TABLE I SUMMARY OF PROPOSED POLICY MANAGEMENT FRAMEWORK DESCRIPTION Policy Approver, Readers and Owner These three components are the users of the policy management framework. Policy approver is the person who approves the policy after it has been drafted by the policy creator or owner. Policy readers are the target groups in the organization those required to read the policy. Lastly, policy owner is the person(s) drafted the policy or created it. Browser This is the first component that helps users to access the policy management tool by using web browser. Policy Management Tool The second component is the Policy management tool. This component consists of three sub components which are User Interface Manager, Policy Editor and Policy Decision Point. User Interface Manager The User Interface Manager is the front end of the policy management tool where the users may be able to view the existing policies. Policy Editor The second component of policy management tool is the policy editor. This component allows the user to view, draft and review the policies and save it to the repository. Policy Decision Point The final component of the policy management tool is the Policy decision Point where the administrator or top level management users can release the newly approved policies and allow them to be accessed by the target staff. Policy Approvers The third component of the proposed model is the Policy Approvers, where the administrator or top level management users can approve the newly drafted policies so the readers will be able to view. X.CONCLUSION There is not a clear and complete definition of policy management in the past literature. However, this paper presented what is meant by policy management according to the researcher’s view. And also IETF/DMTF policy framework is used as basic idea in designing policy management framework, which is the main result of the paper. This proposed policy management framework was designed to help large organizations to manage their policies and keep their employees read and understand all policies across the organization. In the near future, to implement the framework presented in the paper, a policy management tool is needed to develop. The tool can be used to manage all policies in organization, in order to proof the concept presented in this paper. This policy management tool will be a website that has all policy management need across the organization. ACKNOWLEDGMENT The authors would like to thank University Teknologi Malaysia (UTM) for their sincere help and cooperation in making this paper successful. The authors are also indebted to the Ministry of Science, Technology and Innovation (MOSTI) of Malaysia, under the FRGS (Fundamental Research Grant Scheme) (Vot: 78654). This research is still ongoing. REFERENCES [1] Micheal E. Whithman and Herpert J. Mattord. (2005). Principles of Information Security. (2nd Ed). Canada: Thomson Learning. [2] Wikipedia. Policy. http://en.wikipedia.org/wiki/Policy. (Last accessed on April 30, 2010). [3] Harris Weisman. (2006). Policy management: Manual vs. automated tools. Information Security magazine. [4] PolicyMatter - White Paper: the Freedom of Information Act - Why effective policy management is crucial. 05/01/2005 available: http://www.policymatter.com/news/news050105/. [5] Dinesh C. Verma & IBM Thomas J Watson Research Centre (2002). Simplifying Network Administration Using Policy-Based Management. IEEE Network, 02, 0890-8044. [6] UTM. (2010). Introduction. http://www.utm.my/aboututm/about- utm.html (accessed on: 19 May 2010). Ga’al, Dahir Abdi (Mr.) received his B.sc. in Science in Information Technology from Somali Institute of Management and Administration Development (SIMAD), Mogadishu, Somalia in 2007 and M.sc. in IT Management from University Technology Malaysia (UTM), Malaysia in 2009. Currently he is a PhD student in Faculty of Computer & Information Sciences, University Technology Petronas (UTP), Malaysia. Wardah Zainal Abidin (Assoc. Prof) is an associate professor at the Advanced Informatics School, UTM. She obtained her first degree at Universiti Kebangsaan Malaysia (UKM), in 1981, in Pharmacology. After that she pursued her studies in Computer Science in Universiti Teknologi Malaysia (UTM), first taking her Advanced Diploma and later Masters in Computer Science. On 30th August 1984, her life as an academician at UTM began and she has not looked back ever since. Computer Science and later Information Technology have never ceased to amaze her although her first degree was in biological sciences. Apart from teaching at the Department, she had the opportunity to be involved with several consultancy groups mostly involving government agencies and government-linked companies since 1992. World Academy of Science, Engineering and Technology 70 2010 139