Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by the editors.
As business leaders grow their companies, corporate assets should always be top of mind. As such, business leaders should be implementing IT policies early on in order to set standards and expectations for employees when it comes to the use of corporate technology and managing corporate data.
In parts one and two of this three-part series, I rolled out a playbook on when companies should hire their first IT consultant and what to keep in mind when appointing a CIO. In this third and final part of this series on the IT Lifecycle I’ll discuss when companies should start rolling out formal IT policies and how to do so.
In the case of Joe’s Widget Shop, the hypothetical software startup we’ve been following, CEO Joe Smith sees his company is expanding and he needs to make significant IT investments. He has now set up an office network and has purchased laptops for each employee. Joe is now evaluating when and how to build out more formal IT policies to set rules and standards for his employees.
When to rollout formal IT policies
The emergence of new laws, technologies, regulations and operational or compliance needs are all policy development triggers, but it’s important to consider that part of the “when” question can be industry specific, and not solely dependent on headcount. For example, a large construction company that has few employees in the office and most of its employees out in the field probably doesn’t need the same types of IT policies as Joe’s Widget Shop, which is a small tech company with employees on computers all day long.
When implementing formal IT policies, it’s important for Joe to specify the structure and criteria for how each IT policy, guideline or standard should be categorized. Joe should also outline a process for initiating, reviewing, approving and revising IT policies. This includes having a plan in place to manage ongoing roles and responsibilities associated with IT policy development and maintenance.
One common mistake to avoid is repurposing previous examples of IT and security policies found online or “borrowed” from a previous job. Instead, it is important for Joe to take the time to create a custom policy, which aligns with the needs of his particular business.
How to lay down the law
Without written policies, there are no standards to reference. It’s important for Joe to note that policies should clearly define “acceptable use” for both company-owned and employee-owned technology.
But just defining policies isn’t enough. It’s essential that Joe educates employees on the proper process and protocol for using corporate equipment and technology, and should also tie it into the overall security strategy of the organization. When establishing IT policies, Joe should outline password requirements, levels of access, confidentiality, restricted third-party or shadow IT applications, and best practices for malware protection.
Sign up for CIO Asia eNewsletters.