Define and maintain IT policies

Event Banner

Although the importance of IT within business is being increasingly recognized, the protection of the IT investment is often neglected. The biggest threat to any IT infrastructure is usually internal, though often it does not stem from malicious intent; it is most often due to ignorance. Implementing IT policies within your organisation will help to minimize potential risks to your business and create a framework for your employees to operate within.

In most SME’s, the business decision makers do not understand the risk of a “free” IT environment and rely on trust between them and their employees to manage their use of IT. In a more mature IT environment policies are often created, but not communicated or understood, which results in a powerless document that is not enforceable. Policies are alsonot re-evaluated and adjusted, which, in the fast changing world of IT, could render them impractical.

It is important to implement IT policies within your organisation as it promotes how business is conducted according to a specific set of rules and guidelines. These guidelines will reduce the risk to your business: such as information/data loss or potential damage to the company’s reputation. They will ultimately also reduce the cost of computing maintenance and network downtime.

Successful policy management should result in documented, up-to-date guidelines that address the desired actions and behaviors of an organisation and the users within the organisation:

Figure 1: Different goals for the business and end users

Figure 1: Different goals that policies try to achieve for the business and end users

The complexity of the issues involved in successfully implementing IT policies means that the size and shape of policies may vary widely from company to company. This depends on many factors, including the size of the company, the sensitivity ofthe business information and thetypes of information and computing systems they use.

The following is a list of general policies needed in any company – big or small:

Figure 2: Commonly found IT policies in the SME spa

Figure 2: Commonly found IT policies in the SME space

It is important that companies don’t aim too high initially and try to develop a comprehensive and complex policy program straight away. Start off small with checklist–style policies and a skeleton policy framework with essential policies developed first and as the process grows in maturity your business will be able to develop a full range of policies.

For a larger company, developing a single policy document that speaks to all types of userswithin the organisation and addresses all the necessary IT related issues may prove impossible. A more effective concept is to develop a suiteof policy documents to cover all bases,that can then be targeted for specific departments / audiences, making it a more efficient process for everyone.

The general process flow of developing policies is as follows:

Figure 3:The major policy management processes

Figure 3:The major policy management processes

In small or medium enterprises it might very well be the responsibility of a specific individual or small group to manage the process from determining the requirements to the enforcement thereof. It is however, extremely important that the right role players are involved to ensure a successful implementation throughout the organisation.

Policies and the implementation thereof are only successful if they are aligned with the business goals and there is executive buy-in. It can be a daunting task to produce a policy,but by following the correct process and getting buy-in from all related parties, an organization can be successful at creating a policy management structure.

IT Policies provide evidence of the company’s position on the use of IT and offer a living tool for every employee to adhere to. It is therefore essential that all policies are accurate, comprehensive and useable. The end result is an organization that is compliant with management directives.