Businesses may think that they only need to adopt information technology policies and procedures where they are required to do so by law. However, it is a far better practice to proactively adopt IT policies and procedures to protect your business, even where you are not required to do so.
Policies and procedures work together and both are important. Policies define organizational goals, specify directives regarding certain issues and provide a mechanism for how decisions are made. Procedures provide direction to staff regarding the steps to be taken in order to complete a task consistent with company policy and encourage consistent staff behavior.
Security, privacy and intellectual property protection are some of the primary issues affecting information technology, but businesses should proactively identify and address a wide variety of issues in their policies and procedures. There is no one-size-fits-all approach to what policies and procedures should be used or what they should say, because every business has different needs, practices and functions. However, some of the issues that should be addressed include the following.
Security. The goal of a security policy is to enable a business to identify, manage and hopefully reduce security risks. Ideally, a security policy will help a business’ staff determine what specific security practices and technology solutions are necessary and appropriate for that business. Businesses should be mindful of legal requirements or other relevant security standards that should be incorporated into security policies and procedures.
Privacy. Every business should identify third-party data that it collects and assess how the data is used, stored and disclosed. After it has done so, it can establish a policy regarding treatment of confidential and sensitive information and procedures regarding how such information should be handled. Businesses in highly regulated industries (such as health care, finance and education) and in certain states and countries (for example, California and the European Union) are subject to specific limitations regarding the collection and use of third-party confidential information and so care should be taken to ensure compliance with all applicable legal requirements.
Contracting and procurement. Businesses should establish a procurement process, so that they are aware of and comply with all contractual obligations. Also, a specified department or individual should have authority to negotiate and execute contracts, including online terms of service, and someone should be tasked with keeping track of executed contracts and the timing of automatic term renewals.
Acceptable use of technology. One way to limit liability related to employees’ use of technology is to communicate to those employees what the business considers to be appropriate and acceptable use. An acceptable-use policy could include guidance regarding the use of email, Internet, social media, employee-owned devices, among other issues. A ban or prohibition on all personal use of technology is not only impractical, but could backfire, and an acceptable-use policy that stresses use of good-old common sense is often a better approach.
Records retention and destruction. Although electronic and digital storage makes it possible to retain a vast amount of documents and data, it may be more prudent to destroy records after a period of time. Every business should assess applicable legal requirements and practical considerations and evaluate how long records must be kept and then how long records should be kept.
Disaster recovery. No matter how strong a business’ security practices might be, it is likely that the business will eventually become victim to a data breach. Businesses are also vulnerable to outages and losses resulting from disasters. Each business should plan how it will react to problems such as outages and breaches. Applicable law and regulatory requirements relating to data breach notification should be identified and a response protocol to be used in the event of a breach should be established.
Intellectual property. Businesses should carefully protect their intellectual property assets in both policy and procedure. One essential practice is to deliberately protect trade secrets, copyrights and patent rights through agreements with employees and third parties. Businesses should also consider how they will evaluate the selection, registration and enforcement of their trademarks and service marks.
Although it is important to carefully consider and implement appropriate policies, it is even more important that every business communicate the policies to affected individuals and confirm that the policies are followed. Performance should be monitored and reviewed regularly, and policies should then be updated as needed. By using clear policies and procedures in this way, a business can manage risks associated with the use of IT.