Over the years, you have so many company policies coming out of your ears, and now you have been told that you should frame a whole new bunch of IT policies on top of it all? What is worse is that your clients are asking to see the new paperwork. So, many of you might be clueless as to where to start and what do you really need? We will start by taking a look at the key IT related policies and procedures you should have in your business and why you should consider them to be vital.
Contrary to the popular belief of some businesses, this is not actually an IT specific document. It is essentially a plan to keep your business running in case of adverse events that you believe are of high risk to the ongoing provision of your goods or services. In short, it is the most important document you could have in your business.
Of course, IT will be a big part in formulating this plan. Because your business will rely heavily on IT and the failure of these systems could cause more damage to the business. And mostly, it would almost certainly be a risk you could have planned for. There are many other common risk factors too - like the loss of access to your offices, travel disruption, loss of key staff members and failure of plant and facilities.
The IT team will often play a major part in mitigating the risks, or recovering from an event when the worst happens. Hence, IT is included in this round-up.
Information is one of the most valuable commodities. Information is indeed wealth but not just to your business, your clients and you staff but also to your competitors and maybe more disturbingly, to cyber criminals. Businesses also face threats in other areas such as being held to ransom, disruption and most critically, in case of a breach - loss of reputation.
All of this demonstrates the significance of recording how well your business protects its data and assets, how you expect your staff members to look after them, what are your procedures around this and what to do in case of any incident?
The place to record this is your Information Security Policy and it should be done in a way that your staff, clients and other business partners can understand it. Your clients may very well want to read this document and when you are doing a good job at safeguarding your information, you should want them to read it too.
Likewise, your staff need to know how to look after business data and they need to understand how you expect them to use the business systems in general.
This could cover a wide range of bases – from how you use the internet, especially social media, whether personal use of systems is allowed and in case of a yes, in what circumstances etc. You could even mention the hours and location of use if that information is important to you.
Most businesses will mention this in their employee handbook. However, it is worth reviewing to check whether it fits the needs and culture of your businesses, especially if it was provided as part of a package of HR documents.
This is a GDPR driven procedure. In fact, in order to comply with the new data protection laws, you must have one. In layman terms, it is a plan that describes your actions as a business should you have a data breach that involves personally identifiable data. How you terminate the cause of the breach, prevent it from happening again and whether you will report the breach to the data subject (person whose data was breached) and the Information Commissioners Office are crucial to the plan.
However, there is a little window to make this more than a GDPR driven procedure. No breach of data is definitely good for your business. Therefore, having an easy-to-follow process, which all of your team members understand, can assist you in reducing the risk to your business.
The final ‘must have’ IT governance document you need to have is your information asset register. This is nothing but an exhaustive list of all the data your business keeps, whether it comes under the domain of GDPR or not, where you store it, how it is protected and who has access to it. If in case, this is in any way related to personal data, you will need to keep the information required by GDPR as well.
When carrying out business risk assessments and planning, your register will be an important point of reference as it changes the way you might use it.
It is probably reasonable to say that many businesses already have documented the necessary policies and procedures, but sadly, many employees and even some management might not have even seen them. Your IT governance is only effective when your business has been trained in them and understood them. So, it pays to keep them as short and precise as possible.
The best approach to make sure that your policies and procedures are up to date and that you have an effective IT governance plan, is to get the necessary certifications which are of appropriate standards.