Writing IT policies is not exactly fun, but it is important. They help ensure that a company’s IT resources are used appropriately and productively. Besides documenting requirements and expectations, IT policies often discuss the consequences of policy violations.
There are many different types of IT policies. For example, some IT policies document what must be done to safeguard business data. Other policies outline the actions needed to protect a company’s IT equipment and services. There are even policies that cover whether employees can use their personal devices for work.
Putting all the IT policies into one document would be enough to scare off even the most enthusiastic business leader from writing it and the most diligent employee from reading it. A better approach is to write a separate policy for each area important to a business. Here are eight IT policies commonly found in companies:
1. Acceptable Use Policy
The acceptable use policy covers what is expected of employees when they are using a company’s IT equipment (e.g., computers, printers) and services (e.g., email, Internet access). For example, when traveling for business, employees might be expected to use a company-provided laptop and virtual private network (VPN) to access files on the main network. Equally important, this policy also covers what is unacceptable. For instance, this type of policy typically states that employees must not engage in any illegal or inappropriate activities using the company’s IT equipment and services.
By its very nature, the acceptable use policy covers many IT assets. For this reason, companies sometimes create separate policies for certain resources. For example, rather than include an “email services” section in the acceptable use policy, they create a separate email policy.
2. Password Policy
Cybercriminals often count on being able to crack passwords when they attack businesses. One 2017 study found that more than 80% of hacking-related data breaches involved weak, default, or stolen passwords. Thus, it is important to have a password policy. This type of policy usually covers guidelines for creating strong passwords, how often passwords should be changed, and other password requirements (e.g., do not reuse or share).
Companies typically collect and store a lot of personal information about customers, employees, and other people with whom they interact. Examples of personal data include names, credit card numbers, driver license numbers, birthdates, home phone numbers, and personal email addresses.
4. Data Governance Policy
Data is a crucial element in most businesses’ operations. The data governance policy describes the measures that must be taken to manage the data when it enters, goes through, and exits a company’s systems. Specifically, the policy documents how a company is making sure that its data is:
- Accurate, complete, and consistent across data sources (i.e., data integrity)
- Easy to gather, access, and use
- Secured at all times
The data governance policy also identifies the people responsible for maintaining the security and integrity of the data. Plus, if applicable, it might mention any third parties that play a role in the company’s data management processes.
5. Disaster Recovery Policy
Most companies have disaster recovery plans that discuss the processes and procedures to be used to recover IT systems, applications, and data if a disaster occurs. Having a disaster recovery plan is crucial, but it is also important to have a disaster recovery policy.
A disaster recovery policy requires that the disaster recovery plan be tested and periodically updated. This policy helps the disaster recovery plan go from being words on paper to processes and procedures that will be ready for implementation if catastrophe strikes.
The disaster recovery policy identifies who is responsible for developing, testing, and updating the company’s disaster recovery plan. In addition, it often discusses, in broad terms, recovery requirements, such as allowable downtime and how to ensure business continuity in the event of downtime.
6. Cloud Policy
Cloud policies specify the person or group responsible for evaluating and selecting cloud service providers. They also usually include what must be done during that process, such as conducting security and risk assessments of potential providers.
In addition, cloud policies often explicitly state that:
- Employees are not allowed to use their personal cloud services for work. For example, they cannot store business data in a personal Dropbox or Google Drive account.
- Employees cannot open a new cloud service account specifically for business purposes without prior authorization. In this case, policies sometimes document how employees can get approval or they list pre-approved cloud services.
7. BYOD Policy
Employees are increasingly using their personal smartphones and other mobile devices for work. This is prompting many companies to develop Bring Your Own Device (BYOD) policies to govern the use of employee-owned devices in the workplace. These policies often discuss:
- What (if any) personal mobile devices can be used for work
- What can and cannot be done with those devices (e.g., allowed to access emails but not download files)
- How employees are supposed to connect to the company network (e.g., through a VPN)
- The degree to which the IT staff will support the employee-owned devices
8. Social Media Policy
People post many details about their professional and personal lives on social media networks. Companies use social media policies to document their expectations regarding the nature and tone of the information being posted. These policies also define how a company will manage and monitor the online behavior of employees.
Social media policies need to strike a balance between a company’s needs and the legal rights of its employees, given the country in which the business operates.