Like many tech-oriented people, I find the idea of reviewing and developing corporate policies about as appealing as sticking a needle in my eye. But this is the month to eat vegetables instead of pizza, to drink water instead of beer, to exercise instead of watch Netflix, and to work on IT policies instead of tech toys. Fortunately, unlike many other New Year’s resolutions, just a little effort spent on policies can have long-lasting benefits.
Why IT Policies Are Important
I’m sure a lawyer (which I am not) could give a long, detailed explanation of why policies are necessary from a legal perspective (which is important) but my concerns have more to do with day-to-day operations.
With technology in particular, I often find that a combination of technical misunderstanding, differing assumptions and lack of communication result in a disconnect between business executives’ expectations and an organization’s capacity to deliver. Properly developing policies prompts executives to think through questions and potential consequences — hopefully with the IT department’s input — and to arrive at thoughtful answers, clearing up misunderstandings and establishing uniform assumptions in the process.
Looking beyond the IT department to the company as a whole, the days of a strict delineation between business life and personal life when it comes to technology are seemingly over, and businesses take a wide variety of approaches in defining what’s acceptable. Consequently, employees need guidance, and developing and distributing policies ensures that everyone is aware of the company’s views and rules.
Broadening the Scope
If your company is like many small businesses, the existing IT policies (if they exist at all) probably consist of an outdated document that addresses issues like personal use of company computers and forbidden websites. As we grapple with the ubiquity of social media and mobile devices, the rise of new cybersecurity threats, and the ever-increasing importance of and reliance on technology, a 10- or 15-year-old document is due for an overhaul that incorporates and thoughtfully addresses issues that did not exist when the original policies were created.
Whether part of a single, comprehensive document or a set of smaller documents, every small business should have the follow policies, at a minimum:
Information Security
Addresses passwords, confidentiality and remote access for all employees. Addresses security controls, data retention, disaster recovery and much more for IT management.
Acceptable Use
Addresses use of company resources and expectation of privacy. Prohibits illegal or malicious activity.
Mobile Device
Addresses business use of personal devices, rules for company-supplied devices and use of mobile device management.
Social Media
Raises awareness of potential impact of social media activity and provides guidelines for appropriate content.
Developing Your Policies
Many of the issues and questions addressed through IT policies do not have a single right answer. Your attorney, your IT department, and Google can and probably should all help with the process of developing them, but ultimately it is up to executive leadership to determine what’s appropriate and in line with an organization’s requirements and outlook.
Starting from Scratch?
• If you have never created IT policies for your business (or question whether you’ve done it right) there are a variety of assistance options online that will provide free samples, including:
• bizmanualz.com/sample-it-policy-procedure-template
• business.eset.com/making-cybersecurity-policies-pay-off/
• zdnet.com/article/100-it-policies-at-your-fingertips-ready-for-download/
• If you’re looking for a more customized option, the following company offers IT policies tailored to your specific needs within an hour. Prices range from $149 (5 policies) to $599 (21 policies).
Steven Ellis has spent the last 16 years working at the intersection of business and technology for Bellwether Technology in New Orleans, where he serves as the company’s vice president.