Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.
As business leaders grow their companies, corporate assets should always be top of mind. As such, business leaders should be implementing IT policies early on in order to set standards and expectations for employees when it comes to the use of corporate technology and managing corporate data.
In parts one and two of this three-part series, I rolled out a playbook on when companies should hire their first IT consultant and what to keep in mind when appointing a CIO. In this third and final part of this series on the IT Lifecycle I’ll discuss when companies should start rolling out formal IT policies and how to do so.
In the case of Joe’s Widget Shop, the hypothetical software startup we’ve been following, CEO Joe Smith sees his company is expanding and he needs to make significant IT investments. He has now set up an office network and has purchased laptops for each employee. Joe is now evaluating when and how to build out more formal IT policies to set rules and standards for his employees.
When to rollout formal IT policies
The emergence of new laws, technologies, regulations and operational or compliance needs are all policy development triggers, but it’s important to consider that part of the “when” question can be industry specific, and not solely dependent on headcount. For example, a large construction company that has few employees in the office and most of its employees out in the field probably doesn’t need the same types of IT policies as Joe’s Widget Shop, which is a small tech company with employees on computers all day long.
When implementing formal IT policies, it’s important for Joe to specify the structure and criteria for how each IT policy, guideline or standard should be categorized. Joe should also outline a process for initiating, reviewing, approving and revising IT policies. This includes having a plan in place to manage ongoing roles and responsibilities associated with IT policy development and maintenance.
One common mistake to avoid is repurposing previous examples of IT and security policies found online or “borrowed” from a previous job. Instead, it is important for Joe to take the time to create a custom policy, which aligns with the needs of his particular business.
How to lay down the law
Without written policies, there are no standards to reference. It’s important for Joe to note that policies should clearly define “acceptable use” for both company-owned and employee-owned technology.
But just defining policies isn’t enough. It’s essential that Joe educates employees on the proper process and protocol for using corporate equipment and technology, and should also tie it into the overall security strategy of the organization. When establishing IT policies, Joe should outline password requirements, levels of access, confidentiality, restricted third-party or shadow IT applications, and best practices for malware protection.
+ MORE POLICIES: Why written policies are vital to your cyber strategy +
Instead of just listing out rules, Joe should also provide comprehensive guidelines for things like network configuration, onboarding new employees and setting permission levels for employees. There should also be guidelines outlining how to handle certain IT issues, specifying points of contact for employee technical support, maintenance, installation and long-term technology planning.
Finally, in order to ensure compliance among all employees, it’s important for Joe to communicate the reasoning behind these rules and structure. Employees will be more diligent about doing their part to be compliant, once they have better insight into the rationale and benefits behind such policies. Joe should stress that these rules are in place to protect the business and company assets.
Policies and procedures are often given little attention until something goes wrong, but there’s no reason to wait. Avoid potentially costly problems by establishing clearly defined policies in advance of any mishaps so that you can help ensure that your organization and its assets are secure and compliant.
Intermedia is a one-stop shop for cloud business applications. Intermedia serves over 70,000 businesses and has 6,000 active partners, including VARs, MSPs, key distributors and telecoms. Intermedia has over 700 employees worldwide who manage numerous datacenters to power its Office in the Cloud. For more information, visit Intermedia.net.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.