One of the quickest IT security wins you can implement is to write and issue a clear and effective IT policy. No matter how simple, it should clearly set out the do's and don'ts of using the company's IT systems - and the penalties for breaching it.
Too often we are called in to remediate the consequences of what would have been a breach of a simple and generic IT policy. The result is either compromised IT systems, data loss or theft or sometimes a breach of internal security leading to sensitive information leaking into the wrong hands.
Why have an IT policy?
Where the common defence is usually 'we didn’t know we weren't allowed to do that' some things we have come across are just instances where common sense would have dictated the course of action or inaction was wrong, however - to be fair to the individuals involved - some clear guidance, no matter how brief, would have averted embarrassment and potentially disaster and when required provided management with a mechanism to enact some form of remedy.
A comprehensive policy is always best, however as long as you touch upon the key issues of controlled access to company resources, the usage of the Internet, what can and can't be done with company data and who it can be given to and how then you will have addressed the vast majority of issues we have encountered which could have been averted or policed by having a simple, clear and effective IT policy.
With today’s proliferation of technologies and cloud services the physical security systems you put in place can rarely address all the issues with data leakage and protection, but a good policy focuses the mind and removes ignorance as being an excuse for behaviours which put your data, and business, at risk. Particularly with personal devices becoming more prevalent in the workplace and the number of entry and exit points for data and traffic into and from your systems growing day by day you need to have a clear, grounded and simple set of rules to help inform your staff.
What should be covered by an IT Policy?
You could attempt to legislate for all eventualities and try to develop separate policies covering every aspect of users interaction with your IT systems, however even if it is just one simple catch-all policy covering the basics of what you may take for granted as the “common sense” items (though never take these for granted) then you have probably already saved yourself a significant amount of future trouble, and potentially some very awkward conversations.
People tend to behave differently if they are aware something is being monitored and if they recognise they have specific, measurable, duties and responsibilities and that there are explicit consequences to their actions. Even if it makes them stop, think and ask if something is OK to do before jumping in with both feet then that represents a very significant leap forward.
If you wanted to approach the issue comprehensively, there are several policy templates you can draw upon to round out your arsenal of corporate guidance on a wide range of matters:
- a general IT policy
- Data security
- Social media usage
- Bring Your Own Device (BYOD)
- General Acceptable Usage Policies (AUP)
- IT systems security breach management
- Remote working/working from home
- Mobile device use and care policies
- IT security policy
- Acceptable (and unacceptable...) Internet and E-mail usages policies
- Password policy
- Backup and data safeguarding procedures
- Data recovery procedures
- Disaster recovery procedures
- Business continuity action plans
- Change management process
- Equipment and licencing request
- Equipment purchase and disposal policies.
This list is not exhaustive but gives you an idea of the wide range of IT issues that would benefit from having a clear set of rules and procedures that should be communicated to all staff.
Keeping your IT policy simple
If you want to keep things simple and just work with one single policy the above list should serve as a checklist for items to consider setting rules and procedures for, considering the severity of the risk to the business for non-compliance and the corresponding consequences to staff. Generally:
- Be specific about what is an acceptable use of the organisation’s IT, data and resources
- Clearly detail your organisations standpoint with respect to using IT for personal purposes, and that if it is allowable that all restrictions and safeguards still apply
- Back this up with documenting with examples of what is NOT acceptable
- IT Security is an area the policy should cover extensively
- Password policies
- How to protect and handle company data
- Access policies and restrictions
- How to report incidents and breaches
- It’s worth detailing what is expected with respect to accessing the internet - what can be accessed, and not accessed, by types of website and when personal web browsing can occur
- Clear guidance should be given to the use of emails as, for some reason, some people still think of this differently to ‘normal’ written communications as being less formal or important, even though it carries the same the legal weight
- Ensure your team understands the policy, and that you get the teams' explicit consent and agreement to the policy.
There are many online templated resources for creating any IT related policy, however, ensure you review them carefully and edit them to make them fit for purpose for your organisation. An online search for “IT policy templates” will return any number of results. We recommend the Simply Docs website to clients when we aren’t drafting their policies for them – they are clear and concise, however they aren’t free and require further editing.
However you draft your policies, try to include input from those who will be affected to shape any practical issues that may present themselves, e.g. there is little point in putting in place security-oriented restrictions which staff will try to circumvent in order to do their jobs effectively. Take the opportunity to review how you do things at the same time as putting in place policies to manage them.
Importantly, make sure you get advice form HR and legal staff to ensure that your policies are fair, and enforceable.
Consider IT training for your staff – it will not only make them more productive and self-reliant, it will expand their understanding of why policies are important. There are courses dedicated to increasing IT security awareness in the workplace as the number of threats proliferate and become subtler and more effective. An educated workforce requires less hand-holding and is more able to recognise situations and behaviours that require prudence in their conduct which may not be covered by policy. It also means your policies need to be less explicit and proscriptive, relying more on your workforce to be informed and alert.
The more detailed and restrictive a policy is, the less likely it is to be fully read and understood and is unlikely to be well received. Policies developed with your team who are also given the tools to understand more about what the policies are for, and why, are much more likely to be effective.
We would recommend taking it further and to take the opportunity to document and disseminate not just your policies but your procedures as well, if you have the capacity, setting out your templates and templated checklists, audit sheets, standard operating procedures and best practices. The latter items could form the basis of an internal knowledge-base, improving internal collaboration and helping to improve standards generally.
Systems should be fit for purpose and well configured to minimise and mitigate against the opportunity for breaches and poor conduct, however it’s hard to anticipate every eventuality.
Clear, straightforward and practical policies that set out what is expected of staff and why – and what happens when these expectations are breached – and that are developed in an atmosphere of collaboration and support will be effective and help maintain your organisation’s productivity, security and reputation.