Writing IT policies isn’t fun, but it’s necessary. The best way to ensure a company’s IT resources are used appropriately and productively is to document requirements and expectations, and the consequences of policy violations.
Given the amount of different policies out there, putting them all into one document would be enough to scare even the most diligent employees from reading it. That’s why we suggest the best approach is to write separate policies for each area of the business. And here’s 8 of the more common policies you’re going to need:
Acceptable Use Policy
This policy covers what’s expected of employees when company IT equipment. It should include scenarios such as traveling for business. Are employees expected to use a company-provided laptop and virtual private network (VPN) to access files on the main network?
This policy should also cover what is unacceptable, stating things such as employees must not engage in any illegal or inappropriate activities using the company’s IT equipment and services.
The acceptable use policy can cover numerous IT assets, you may need to consider separate policies for certain resources. Instead of including an “email services” section within the acceptable use policy, perhaps create a more specific, separate email policy.
A 2017 study states around 80% of hacking-related data breaches involved weak, default, or stolen passwords. This is why a password policy is important. It needs to include guidelines for creating strong passwords, how often they must be changed, and the characters they need to include. We also recommend avoiding dictionary-based passwords, such as P@55w0rd. Dictionary attacks are one of the more popular ways to crack passwords.
Check your legal obligations too. Ensure to comply with any laws and regulations governing your business and the industry/locale it operates within.
Data Governance Policy
Data governance describes the measures that must be taken to manage data when it enters, goes through, and exits a company’s systems. Specifically, the policy documents how a company is making sure that its data is:
- Accurate, complete, and consistent across data sources (integrity)
- Easy to gather, access, and use
- Secured at all times
The policy needs to identify those responsible for the security and integrity of the data. It may also need to mention any third parties that play a role in the company’s data management processes.
Disaster Recovery Policy
Separate to a disaster recovery plan, A disaster recovery policy requires that the disaster recovery plan be periodically tested and updated. This ensures the DR plan is more than mere words, but a set of processes and procedures tested and ready if catastrophe strikes.
The DR policy outlines who is responsible for developing, testing, and updating the company DR plan. In addition, it may discuss in broad terms, recovery requirements, allowable downtime, and business continuity.
Cloud policies specify who is responsible for evaluating and selecting cloud services. In addition, cloud policies often explicitly state that:
- Employees are not allowed to use their personal cloud services for work. For example, they cannot store business data in a personal Dropbox or Google Drive account.
- Employees cannot open a new cloud service account specifically for business purposes without prior authorisation. In this case, policies sometimes document how employees can get approval, or which cloud services are pre-approved.
The increased use of employee personal smartphones and other mobile devices for work is prompting businesses to develop Bring Your Own Device (BYOD) policies governing their use in the workplace. These policies often discuss:
- What (if any) employee devices can be used for work
- What can and cannot be done with those devices (e.g., access emails but no downloading files)
- How employees connect to company networks (e.g.VPN’s)
- The degree to which IT staff will support employee-owned devices
Social Media Policy
Because people have access to post details about their professional and personal lives on social media networks, businesses need a social media policy to document their expectations regarding the nature and tone of the information being posted. These policies can be extended to define how a company may wish to manage or monitor the online behaviour of its employees.
Social media policies need to strike a balance between the needs of the business and the legal rights of its employees, relative to the country in which the business operates.