In previous articles we’ve discussed the fact that many businesses have come to depend on IT, to the extent that without proper IT systems they cannot function properly, if at all.
By “IT systems” we mean computers, software, email, databases and bespoke departmental or functional software systems, any or all of which may form part of your business’s “IT estate”.
Because of this increasing dependence on IT and network systems, and particularly as your employee numbers increase, the number and types of computer-based interactions among employees and with suppliers, customers and partners will continue to grow enormously.
So the need to have formal IT policies in place becomes critical.
In this article we take a look at why it’s so important to have IT policies, and explore some of the most common forms of IT policy.
Why all the fuss about IT policies?
An important role of management is to establish standards, rules and guidelines. But more than they, these ‘policies’ need to be documented as a point of reference for the occasions when ‘difficult’ situations arise, and enforced when lines are crossed.
Many aspects of running a business may be subject to interpretation in different ways, so with a policy in place it becomes clear what type of behaviour is expected, and what steps need to be taken in case of the unexpected.
The main reasons why IT policies are needed are:
- IT and communications systems continuity: among all the operational systems in a business, IT systems are most dependent upon continuity. The key to smooth, ongoing IT operations is for IT staff to have a shared understanding of how IT systems and operations are designed, which job roles are responsible for which tasks and what usage and operating guidelines exist. Without a policy in place, IT operations risk becoming inefficient and chaotic.
- Data protection: data protection is not just a matter for good management; it’s subject to legislation at national and European government level, with heavy penalties for transgression. It’s about securing business assets but also making sure that any personal data you hold on customers and partners remains private and confidential, and does not get into the wrong hands for any reason.
- Employee usage guidelines: there are two factors to this:
o Productivity: ensuring that employees are aware of your expectations regarding their use the internet, mobile devices, personal email and social media within work time, and on work premises. A common term used to described appropriate behaviour is “Acceptable Use” – and so what constitutes ‘acceptable’ and ‘unacceptable’ use should be documented in a policy.
o Security: as outlined above, employees must be very clear about their duty to safeguard company data and the private details of customers held by the business. “Data leakage” is a common term for the loss - whether by theft, loss or negligence - of either sensitive business data, or confidential personal data. Preventing this type of data loss by informing and educating employees is very important.
- Disaster and emergency recovery: what happens in the event of an emergency. As many organisations have found to their cost, it’s not just a matter of how you want employees to use your IT systems, but the measures you need to take in order to ensure they’re still available in the event of an emergency.
The most common forms of IT policy
The exact IT policies required by your organisation will be defined by the nature and size of your business, the number of employees, the products or services you sell and the specific IT systems you use.
For example most organisations require an “Acceptable IT Use” policy, but not every business would have a “Remote Access Policy” because working away from the usual workplace may not be possible or sanctioned in some organisations.
Let’s look at the most commonly used IT policies
1. Acceptable Use Policy
“Acceptable use” describes the guidelines for the use of company computers and telephones, and should cover web browsing (for example specifically prohibiting access to certain types of website), email (for instance preventing use of company email for personal communications) and other aspects of IT use specific to your business. Your policy will also set out the consequences for misuse.
2. Device Usage Policy
A similar but more specific point is Device Usage Policy, which is about ensuring people know what they can and cannot do on computers and phones whilst connected to your network. As a business, you are responsible (and can be held liable) for what your employees do whilst using your IT and communications infrastructure, including for any illicit or illegal activities.
3. Social Media Policy
Opinions vary greatly about use of Social Media for both personal and business use. However its massive reach and ubiquitous use of smartphones means that many employees are now connected all the time, with the inevitable drain on productivity if used for personal reasons in the workplace. A Social Media Policy for your business is a must to eliminate any grey areas.
4. Disaster Recovery Policy
You don’t need to be told that the consequences of an unscheduled ‘shut down’ due to an emergency or disaster could result in significant costs and losses, even the failure of your business. It’s for this reason that planning your procedures in the event of such a disaster is critically important – not just for your IT systems, but for the whole of the business. Documenting how you will deal with the unexpected is covered in your ‘contingency plan’ or Disaster Recovery Policy.
5. IT Purchasing Policy
Clearly it is sensible to standardise on selected IT suppliers and products, and this should be enshrined in an IT Purchasing Policy. By failing to standardise on the sourcing of operating systems, hardware, software, vendors and support contracts, organisations run the risk of “maverick” purchasing of IT goods and services. Centralised, standardised purchasing also allows you to negotiate more cost effective contracts and prices.
6. Licensing and Upgrade Policy
Organisations that use multiple (and sometimes incompatible) software and hardware systems, with different versions and releases in use at the same time around the business are creating a costly and time-consuming overhead for themselves and their IT support engineers. So a comprehensive Licensing and Upgrade Policy will ensure that the whole business evolves its IT systems in a structured and planned way. Also, when you know which software versions and licenses are being used where and by which employees, you can also ensure you don’t infringe license agreements by using out of date software.
7. Backup Policy
Data loss due to system failure is a huge problem not just because of the direct productivity cost that arises as a result, but also because it’s inefficient and wasteful, and can indirectly affect revenue and customer relationships. Ensuring that your business has a standard approach to data backups in a Backup Policy is a sure way of avoiding such mishaps.
8. Password Policy
Insecure passwords continue to be one of the biggest ongoing problems both for individuals and businesses. Simple and duplicate passwords are easy prey for hackers. Password policy on company owned hardware and software systems can be enforced, for instance in order to force users to change their passwords regularly. A formal Password Policy that sets out the process and procedure is therefore a key document.
9. BYOD Policy
A BYOD (Bring Your Own Device) Policy sets out the organisation’s guidelines on how portable devices such as laptops, smartphones and tablets may connect within your network, and what the access criteria (for example the security profile of the devices) are. It can also deal with ‘guest’ access to the network, and set out policy decisions on what sort of devices are permitted to connect, and how they are prevented from accessing data that should be kept off limits.
10. Other IT policies
The number and range of possible IT policies is almost without limit, depending on how much detail your organisation wants to go into. Here are a few additional examples that we haven’t covered directly above, but which may be appropriate for your organisation:
Network Access Policy Incident Response Policy
Data Breach Reporting Policy Partner Connectivity Policy
Desktop Support Policy VPN and Remote Access Policy
Encryption Policy Email Policy
Web Usage Policy Online Safeguarding Policy
Intranet Use Policy Extranet Use Policy
Confidentiality Policy Physical Access Policy
Whatever the nature of your organisation, and whether or not you do business online, the need for IT Policies is very real. As well as ensuring your own business continuity and protecting your employees and customers, IT Policies should always address what to do in the event of unexpected events.
A key requirement of your IT Policies are that they provide black and white guidance, creating lines which must not be crossed and making clear the consequences if those lines are crossed.
They must also be realistic and enforceable, because an unenforceable policy with no teeth is no policy at all.
If you are concerned about IT Policies within your organisation, contact Alliance Solutions for a free consultation about which areas your IT and network estate they should be applied to.