Thursday, July 15, 2010

Do we need a structured IT policy for our company?

This is actually an HR question, not a systems question, but it somehow always falls to the IT department to answer because they're the experts in regards to the risks associated with this area of the business.

Essentially, it should be up to the IT department to work with the HR department to ensure the right policies are in place for your IT systems.

There are a number of risks inherent to your business IT systems that locking down computers can limit – but not really remove.

Some of these risks are:

  • Loss of data through deletion and corruption.
  • Data theft.
  • Leaking of information protected by the Privacy Act, confidentiality requirements or expectations.
  • Exposing staff to indecent media (text, sound or graphics).
  • Inappropriate use of company equipment and resources including:
    • Downloading of illegal or inappropriate material
    • Downloading of bulk materials (known as leaching)
    • Distribution of spam
    • Use of stolen or pirated software
    • Distribution of stolen or pirated software
    • Hosting of inappropriate material for download
    • Forwarding of illegal actions (hackers like to hide behind other identities).
  • Activating viruses on inappropriate websites by initiation of web scripts.

Unfortunately, this list goes on and on. Many of these risks can be mitigated with good use of security systems within your organisation, but not all of them can be prevented or detected without significant expense. With a strong IT policy in place, staff can be encouraged to not deliberately embark on these activities, and – if caught – can be strongly disciplined or, if necessary, removed from the company.

IT policy can also be used to set expectations about who owns the data stored on the systems, and who owns any IP created or stored on the systems.

I've seen many examples of IT policy being required by a range of companies. One such example was a case where staff were downloading videos using torrent software, and ran up a bill for many thousands of dollars before being found out.

I've also seen employees downloading and running pirated software to "get a job done" when the required software was not made available to them. The employees were thinking "get the job done, don't spend money", but management were oblivious to the risks this exposed the company to. Good systems monitoring may have prevented both issues, but clear policy can deter staff from embarking on the wrong path.

You may not need a policy in a small company if you think you know your staff well. However, think about it like this – an IT policy:

  • Is easy to introduce;
  • Turns management's expectations into clear communication (never a bad thing), and;
  • Can save you if there is ever an unexpected breach.

If you work with a good IT advisor, they should have templated policy documents. I recommend that as a good place to start.

Click here to read more IT Systems expert advice.

David Markus is the founder of Combo - the IT services company that ensures IT is never an impediment to growth.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)