The Essentials of a Great IT Policy

When supported by informed, engaged employees, the policy will ensure your business remains secure while meeting industry regulation standards.

A thorough IT policy should include:

• Acceptable use policy
• Data protection
• Disaster recovery

Acceptable use policy

An AUP details the acceptable use of technology in your business. It should hold guidelines on all technology (computers, telephones, fax machines, internet, email and voicemail) as well as the consequences for any misuse. As such, all employees can be held accountable for their use of technology.

You should include how you are going to enforce the policy, making sure that it serves the interests of your business best, and that no loopholes exist.

There is a growing need to include large clauses on social media in the AUP; it is important to review security settings on profiles associated with your business, as well as notifying employees about using their personal profiles.

Some companies allow employees to take social media breaks but since it creates a ‘distracted norm’ these are best limited to lunch and after-work hours.

Data protection

The eight key principles set out in the Data Protection act of 1998 state that data should be:

• Used fairly and lawfully
• Used for limited, specifically stated purposes
• Used in a way that is adequate, relevant and not excessive
• Accurate
• Kept for no longer than is absolutely necessary
• Handled according to people’s data protection rights
• Kept safe and secure
• Not transferred outside the European Economic Area without adequate protection

You may also be required to notify the Information Commissioner’s Office (ICO) about data the firm holds. More specifically, you need to set out guidelines for protecting sensitive data, including passwords, levels of network access and virus protection.

It is imperative that all data usage complies with the government guidelines, since the ICO has the power to “issue monetary penalty notices, requiring organizations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6th April 2010.”

In August 2015, a breach of data by travel company, Thomson, allowed the personal details of 458 people across the UK into the public domain. Just three months earlier, South Wales Police were issued with a £160,000 fine for losing a video recording which formed part of the evidence in a court case. The unencrypted discs had been stored in a desk drawer before they went missing.

The ICO took £2,031,250 from 18 fines in 2015, a figure that looks set to be matched in 2016.

Disaster Recovery

A firm’s ability to recover from a serious IT breakdown depends on preparation, which in turn is rooted in the following three principles:

Prevention

Taking all measures possible to avoid disaster in the first place.

Anticipation

Planning to develop measures to counter disasters which could happen.

Mitigation

Managing disasters effectively so that normal operating procedures can be restored as quickly and smoothly as possible.

Firms then need to have a robust IT Disaster Recovery Plan in place. This will hold thorough and detailed plans that need to be implemented as standard practice, to help expedite any necessary recovery process.

The DRP, which will have been tested in advance, will also contain plans on what happens during and after the occurrence of an emergency. Key objectives will include:

• Minimizing disruption to business operations
• Minimizing risk of delays
• Ensuring security is maintained
• Assuring robust backup systems
• Facilitating the speed of the recovery

A Disaster Recovery Team will be needed to lead recovery operations, with personnel being drawn from all departments including top management. The team will be responsible for carrying out a risk audit throughout the company in a way that considers the possibility of disasters occurring and the security of crucial resources.

Data collection within the risk assessment should include an inventory of policies; forms; equipment; communications; important phone numbers; contact details; customer materials and any further essential documentation.

Firms have a range of options when it comes to IT disaster recovery facilities, which span from traditional non-hosted colocation to managed colocation services and cloud-based solutions. The final choice will depend on the needs and capabilities of individual businesses.

Many IT firms build external security systems. Through colocation, businesses can create an offsite replica of the primary data store, which can take control should internal disruption occur.

A secure IT policy will legally protect the company and serve as an internal guideline for overcoming any unforeseen circumstances that my crop up.