In our last post, we outlined nine must-have IT policies for reducing security and compliance risks. (add link when published) Many organizations have responded to the uptick in cyberattacks by upgrading their IT security arsenal. However, the best security technology in the world will have limited effectiveness if you don’t have policies and procedures in place to support an overarching security strategy. IT policies set clear rules and expectations about the use of technology and data across the organization. They also clarify IT-related responsibilities and enable managers to make consistent decisions.
Recognizing the need for IT policies is the first step. Understanding the basic types of policies required is the second step. Developing IT policies specific to the needs of your organization is the third and most critical step. IT policy templates are readily available online, but topics will need to be added, removed and changed to meet your business, security and compliance requirements.
Developing IT policies and procedures begins with identifying specific needs, problems and requirements that each policy should address. For example, are remote workers using unapproved applications and storing and sharing data in a way that risks exposure? Is it taking too long for customer issues to be resolved? Is productivity suffering due to redundant, manual tasks? These issues need to be laid out so policies that address them can be developed.
The development of IT policies is a process that will likely take several months. Identify a person to lead the process and build a team to contribute to various areas. The first job of this individual and team is to create a policy development plan, including tasks, timelines, roles and responsibilities.
IT policy development requires extensive research. What are your legal and regulatory obligations? What documents, such as meeting minutes, annual reports and event recaps, could be relevant to future IT policies? What staff members should be interviewed or surveyed so you can better address the issues you’ve identified? Involve legal, compliance and human resources in this process.
Prepare a discussion paper that summarizes all issues, the findings of your research, and policy options for addressing each issue. This paper will serve as a valuable reference during the consultation process, which involves requesting detailed feedback on your discussion paper from key stakeholders within the organization. This may require several group and one-on-one meetings.
Once all feedback has been gathered, prepare an initial draft of your IT policies. This draft should be reviewed carefully by all key stakeholders, and then discussed and updated to ensure the wording of each policy is precise and minimizes confusion. That doesn’t mean policies should be filled with jargon and longwinded explanations. Make them as simple as possible so they’re easy to follow. Once all parties are satisfied with the updated versions of each policy, they should be formally approved and adopted in writing by senior management.
All employees should be thoroughly trained so they can implement your policies correctly. A great policy can fail if not fully understood. Keep in mind that IT policies should be living documents that are reviewed at least annually. As business needs, technology and industry regulations change, IT policies will likely need to be re-evaluated and updated. When updates are made, employees should be alerted to each change and trained.
Formal IT policies and procedures are critical to the security of any organization, regardless of size. Verteks can sit down with you to discuss IT best practices that will help ensure your policies minimize risk.
