Protect Your IT Assets With These 8 Policies

Writing IT policies isn’t fun, but it’s necessary

Writing IT policies isn’t fun, but it’s necessary. The best way to ensure a company’s IT resources are used appropriately and productively is to document requirements and expectations, and the consequences of policy violations.

Given the amount of different policies out there, putting them all into one document would be enough to scare even the most diligent employees from reading it. That’s why we suggest the best approach is to write separate policies for each area of the business. And here’s 8 of the more common policies you’re going to need:

Acceptable Use Policy

This policy covers what’s expected of employees when company IT equipment. It should include scenarios such as traveling for business. Are employees expected to use a company-provided laptop and virtual private network (VPN) to access files on the main network?

This policy should also cover what is unacceptable, stating things such as employees must not engage in any illegal or inappropriate activities using the company’s IT equipment and services.

The acceptable use policy can cover numerous IT assets, you may need to consider separate policies for certain resources. Instead of including an “email services” section within the acceptable use policy, perhaps create a more specific, separate email policy.

Password Policy

2017 study states around 80% of hacking-related data breaches involved weak, default, or stolen passwords. This is why a password policy is important. It needs to include guidelines for creating strong passwords, how often they must be changed, and the characters they need to include. We also recommend avoiding dictionary-based passwords, such as P@55w0rd. Dictionary attacks are one of the more popular ways to crack passwords.

Privacy Policy

If your business collects and stores personal information about its customers, employees, or other people they interact with, it will need a privacy policy. Ensure it outlines what you collect, how it’s collected, stored, used, shared, or disposed of. You may need two policies; one that’s employee-facing and one that’s customer-facing, such as on a website.

Check your legal obligations too. Ensure to comply with any laws and regulations governing your business and the industry/locale it operates within.

Data Governance Policy

Data governance describes the measures that must be taken to manage data when it enters, goes through, and exits a company’s systems. Specifically, the policy documents how a company is making sure that its data is:

  • Accurate, complete, and consistent across data sources (integrity)
  • Easy to gather, access, and use
  • Secured at all times

The policy needs to identify those responsible for the security and integrity of the data. It may also need to mention any third parties that play a role in the company’s data management processes.

Disaster Recovery Policy

Separate to a disaster recovery plan, A disaster recovery policy requires that the disaster recovery plan be periodically tested and updated. This ensures the DR plan is more than mere words, but a set of processes and procedures tested and ready if catastrophe strikes.

The DR policy outlines who is responsible for developing, testing, and updating the company DR plan. In addition, it may discuss in broad terms, recovery requirements, allowable downtime, and business continuity.

Cloud Policy

Cloud policies specify who is responsible for evaluating and selecting cloud services. In addition, cloud policies often explicitly state that:

  • Employees are not allowed to use their personal cloud services for work. For example, they cannot store business data in a personal Dropbox or Google Drive account.
  • Employees cannot open a new cloud service account specifically for business purposes without prior authorisation. In this case, policies sometimes document how employees can get approval, or which cloud services are pre-approved.

Cloud policies cover areas such as compliance requirements, privacy policy integration, and exit strategies.

BYOD Policy

The increased use of employee personal smartphones and other mobile devices for work is prompting businesses to develop Bring Your Own Device (BYOD) policies governing their use in the workplace. These policies often discuss:

  • What (if any) employee devices can be used for work
  • What can and cannot be done with those devices (e.g., access emails but no downloading files)
  • How employees connect to company networks (e.g.VPN’s)
  • The degree to which IT staff will support employee-owned devices

Social Media Policy

Because people have access to post details about their professional and personal lives on social media networks, businesses need a social media policy to document their expectations regarding the nature and tone of the information being posted. These policies can be extended to define how a company may wish to manage or monitor the online behaviour of its employees.

Social media policies need to strike a balance between the needs of the business and the legal rights of its employees, relative to the country in which the business operates.

Posted on