IT Toolkit

IT Policy

Definition:

An IT Policy consists of a set of rules or regulations that ensure or guide compliance within the area of IT. These guidelines must include those set by the law but can also be determined by the organization itself. 

Why is it important?

It is important for employees to know what is expected and required of them when using the technology provided by their employer, and it is critical for a company to protect itself by having policies to govern areas such as personal internet and email usage, security, software and hardware inventory and data retention. It is also important for the business owner to know the potential lost time and productivity at their business because of personal internet usage (Corporate Computer Services, Inc).

Role of It Policy:

The role of IT policy is used to provide a set of rule or guidelines for employees to ensure the security of information and resources in an organization.

Guidelines:

 The following guidelines listed below should outline the major areas and steps to cover when creating and ensuring that company policy is understood and followed:

1. Define the Scope of the Policy - Establishing the scope of company policy includes identifying the individuals and processes that are working within the policy as well as those who are not affected by the policy.  The scope also outlines the actions and effects that policy will have on the organization.  A definition of scope sets up the guidelines for accountability and the individual roles and responsibilities involved (Varner, 2013).

2. Define Roles and Responsibilities– Defining roles and responsibilities will clearly indicate who and what is allowed to perform a particular task or have access to information.  This can be further broken down using the RACI model for increased clarification.  This will ensure that an organization’s employees know their role and can execute their responsibilities in an effective manner (Varner, 2013).

3. Accessibility - The IT policy should be avialble to all employees and easy to access. For example, the company's policy should be available on the company's website that all employees can access. 

4. Be clear and concise - Make sure everyone has a clear understanding of the purpose of the policy. Creating a uniform policy format to ensure that information will be presented to the reader in a consistent manner (Bryant, 2006). 

5. Update and train - Policy is likely to update due to the changing needs of an organization. For this reason it is necessary to regularly train employees about current policy and provide examples of how policy affects their work (Taylor, 2001).

6. Detail Acceptable Use and BYOD- Incorporating an acceptable use policy will establish how employees are allowed to use company devices as well as their own devices while on the company’s network (GFI, 2011).  Acceptable use policy will also discourage wasting of company time by detailing sanctions and reprimands for misuse of an organization’s assets

7. Create a Policy Map- Policy mapping is used by an organization that must meet regulations set by the government.  Policy mapping details the individual rules that require compliance by an organization and establishing the areas where they need to ensure compliance is obtained.  The policy map is the equivalent of a checklist the organization creates to ensure all regulation requirements are fulfilled (Varner, 2013).

Tools and Best Practices:

CobiT- COBIT enables the development of clear policy and good practice for IT control throughout enterprises. (IT Governance Institute, 2007).​

Use other policy as refences - There are many policies that can find from Google. IT managers just need to do some research to find the one that fit with their organization and use them as references.

IT Policy Best Practice applied for : Acceptable Use, Information Security Policy, Access Control, Internet and Email, Network Printer, Coppier, and Multi-function Device, etc.