| "What do you mean I can't download ... fill-in-the-blank?" | | | | complete record of all software that has been |
| As IT managers we are constantly berated by users | | | | purchased for company computers and can register, |
| because they want to do something on their company | | | | support and upgrade said software. |
| computer that we know they shouldn't. But getting | | | | Software and Hardware Disposal - Often forgotten, |
| users to conform to reasonable standards is a real | | | | this policy makes sure that software/hardware is |
| challenge for most IT departments. We live in the | | | | disposed of in a controlled manner. An organization |
| information age and with the benefits of technology | | | | may have additional disposal requirements and/or |
| come the associated risks and liabilities. The same | | | | options. |
| tools that allow productivity gains have the potential to | | | | Shareware, Freeware, Public Domain, Games, Fonts, |
| diminish worker productivity and to expose the | | | | Screensavers and Wallpaper - This policy is important, |
| company to harmful content as well as regulatory and | | | | since users often think that because software is "free" |
| legal liabilities. | | | | or on evaluation, it falls outside the boundaries of the |
| Many business executives do not yet grasp the | | | | organization's software policies, and they are unaware |
| importance of protecting Information Technology | | | | of the licensing issues surrounding these types of |
| assets from liabilities and need to focus on the legalities | | | | software. In many cases, these are copyrighted |
| surrounding IT as well as the use of IT systems by | | | | materials and may be used only in accordance with |
| employees. If you take a moment to read any | | | | the license agreement of the publisher. |
| newspaper you will likely find several instances in | | | | Passwords, Security, Viruses - This policy must detail |
| which either by ignorance or design, employees have | | | | the importance of passwords, how they are |
| used company IT assets in a way that puts the | | | | administered, how often they are changed and of |
| company at risk, or worse: gets them in serious hot | | | | what characters they should consist. Stress the |
| water. | | | | importance of user's keeping their passwords safe. |
| So why aren't companies focusing on these risks? In | | | | Detail how the organization protects itself against virus |
| my experience a large part of the problem lies in staff | | | | attack. The omnipresence of the Internet and |
| not knowing how to begin writing acceptable use | | | | web-based applications can open backdoors to the |
| policies for IT systems. Then add to that hurdle the | | | | corporate IT infrastructure. Employees can either |
| facts of constrained budgets, limited staff and that a | | | | willfully or by neglect expose the organization to rapidly |
| typical IT manager will likely assume the company legal | | | | spreading viruses or other malicious and harmful code |
| department will advise of any need to change policies | | | | by accessing or downloading files of unknown origin. |
| or the management of IT assets. And at the same | | | | Data Protection - Detail the importance of your |
| time, management is occupied with running the | | | | organization's data. Also, cover how employees must |
| business and assumes that IT and legal will manage | | | | treat specific types of data, such as customer |
| any issues related to these assets. Unfortunately, the | | | | information, research material, legal documents and |
| legal department typically understands the broader | | | | records, etc. Because each organization will guard |
| laws but does not necessarily focus on day-to-day IT | | | | particular information based upon the type of business, |
| operational issues. | | | | explore each topic in detail within the organization. |
| Liabilities will be reduced if the focus of IT, legal and the | | | | Internet, Instant Messaging, P2P Software - Most |
| business side of the house are pulled together, to put | | | | organizations in today's business climate will have |
| into place reasonable and effective policies, | | | | some type of Internet policy likely covering areas such |
| procedures, disciplinary standards and company-wide | | | | as pornography, picture and media files (GIF, BMP, |
| educational programs. In addition, in doing so will give IT | | | | PCX, JPEG, MP3, etc.), personal use and more. |
| managers a defendable position against those users | | | | Companies must also be concerned with the ease of |
| who berate them! Policies and procedures are a critical | | | | obtaining software of all types from the Internet. |
| first step in protecting the organization's vital enterprise | | | | E-mail - As with the Internet, there are many liabilities |
| IT assets. These same policies, while protecting assets | | | | surrounding e-mail use. Companies should be aware of |
| and assisting IT staff in managing user "problems," are | | | | the pitfalls of improper data protection, defamatory |
| also used as a defense against potential legal liabilities. | | | | comments, inappropriate bandwidth usage, viruses, etc. |
| A legally compliant IT department must address | | | | Increasingly, subject matter considered inappropriate |
| several areas of concern, such as software license | | | | for consumption or distribution within an organization is |
| compliance, the appropriate use of the Internet and | | | | received, forwarded, mishandled, etc. The type of |
| e-mail, data protection, privacy and more. | | | | website content that is inappropriate within an |
| Though proper software licensing is the most | | | | organization is also unsuitable content for an e-mail. |
| frequently considered topic of IT compliance, | | | | Auditing and Monitoring - This policy alerts users to the |
| companies face other equally important IT asset liability | | | | fact that regular monitoring of and audits on company |
| issues. Inappropriate use of e-mail and the Internet is as | | | | IT assets are conducted. The policy must contain a |
| widespread a problem as copyright violations | | | | statement that indicates that the user should have "no |
| (software piracy). Bandwidth abuse and lost employee | | | | reasonable expectation of privacy" for any file, |
| productivity are two additional areas of concern for | | | | message, or content on all company systems. |
| most employers. Not only should a policy cover | | | | Mobile, Laptop and PDA Users - Mobile devices are a |
| appropriate use but inappropriate use as well. | | | | difficult group of assets to control because of the |
| E-mail content filtering has become a popular solution | | | | device portability and the fact that they may rarely |
| for blocking documents containing obscene, racist, | | | | connect to the corporate network. Because of this, |
| offensive or explicit words and phrases as well as for | | | | laptop users often believe that they fall outside the |
| virus prevention. Another benefit of e-mail content | | | | boundaries of the software policies. It is essential that |
| filtering is the reduction of leaks of confidential | | | | appropriate policies as well as unique procedures are |
| company data. Statistics reveal that most security | | | | created to address this elusive group of users. |
| breaches originate from within the organization, | | | | Backup and Maintenance of IT Systems - Be sure to |
| therefore an organization must also monitor what files | | | | define who is responsible for system backup and how |
| are leaving the network. | | | | these tasks are completed. This policy is important, |
| Significant case law supports the verity that e-mail and | | | | because organizations rarely look at licensing, retention |
| Internet monitoring is legal when a company provides | | | | and destruction, e-discovery and privacy issues when |
| the systems on which the employee uses these | | | | creating backup procedures. It is essential to address |
| products. An employee does not have a "reasonable | | | | these issues before having to retrieve from backup |
| expectation of privacy" when using these tools. | | | | because of an unforeseen problem or because of |
| However, it is essential that the employee be advised | | | | litigation. |
| of the company policies on these issues and that the | | | | Disciplinary Procedures - Policy statements can be a |
| policies are clear, well disseminated and supported | | | | waste of time if they are not reinforced with |
| company-wide. | | | | disciplinary procedures for those that breach them. |
| Privacy and other forms of data protection are | | | | Your organization may already have procedures in |
| another big area of concern for businesses. Fines | | | | place and these must be included in any set of |
| from regulatory bodies and loss of competitive data | | | | technology policies. |
| have continued to push organizations to increase | | | | Policy Review - It is important to review and update |
| control over these assets, to reduce associated | | | | policies and procedures when needed. The team or a |
| liabilities and risks. | | | | subset of the initial compliance team will need to |
| The way to efficiently educate users is to adopt, | | | | review the policies and procedures on an annual basis |
| implement and enforce policies and procedures | | | | (or more frequently, if needed) to respond to changes |
| detailing the "Dos and Don'ts" of computer conduct | | | | in the business environment and the larger legal |
| and explaining how the organization deals with the | | | | environment. Users must be told how new policies will |
| complete lifecycle of its IT assets. | | | | be communicated. |
| Regardless of the size of your organization, start by | | | | Furthermore, additional policies not included in this list will |
| creating a project team to administer the | | | | likely be required in some organizations. For example, |
| implementation of an IT compliance program. The size | | | | financial institutions and hospitals are regulated by |
| of the team will vary from one company to the next, | | | | outside bodies that require specific situations be |
| but regardless of the size, the organization will need to | | | | handled in the manner specified. Ensure that the |
| commit appropriate resources, both human and | | | | company's legal representatives ascertain the |
| financial, for the project to be a success. | | | | requirements made by other regulatory agencies and |
| The project team should consist of a senior member | | | | incorporate those demands into the policies and |
| of the IT department, to provide top-level exposure; of | | | | procedures. |
| human resources, to ensure no policy violates existing | | | | Policy statements should be short and to the point. |
| regulations and to ensure that there are appropriate | | | | Procedures can be long and detailed. Use a standard |
| steps in place to discipline violators; of legal counsel, to | | | | format for all of the policies, including the policy area to |
| ensure that policies and procedures drafted by the | | | | be covered, the reasons for the policy and a |
| team are thoroughly reviewed and consecrated; and | | | | procedure specifically adapted for your organization. |
| representatives from large departments, administration, | | | | Lastly, but of great importance -- make sure your |
| security, training, IT, etc. If more than one physical | | | | users are trained on the policies. I can't tell you how |
| location exists, be sure to include a member from each | | | | many organizations miss this essential step! The |
| site to ensure that their specific needs and limitations | | | | policies will not be defendable or, frankly, enforceable |
| are considered as well. | | | | unless users are made aware of them. For the best |
| Following is a list of the areas that should be covered. | | | | results, have your internal training department (or other |
| (Note: this list may not be comprehensive for every | | | | suitable group) develop a system to train users as well |
| environment and some areas may not apply to every | | | | as track the training and to collect a written agreement |
| organization): | | | | to follow the policies from every employee. |
| Begin with an overall opening statement by the CEO | | | | Make sure all new employees receive training and sign |
| (or equivalent) of the organization to not only add | | | | an agreement. At least once per year conduct |
| valuable corporate weight to the policies but also to | | | | follow-up training which need not be as |
| show that these policies come from the very top and | | | | comprehensive, but should serve to remind users of |
| are being embraced by everyone in the organization, | | | | the company's commitment to compliance. |
| including the Board. | | | | I promise you, the effort you put forth developing |
| Then create policies for the following essential areas: | | | | company-wide IT policies and procedures will pay off |
| Software requisition, acquisition, delivery, installation and | | | | multifold -- this isn't an IT problem; this is a company |
| license compliance - Explain that software acquisition is | | | | problem and the solution needs to be addressed |
| restricted in order to ensure that the company has a | | | | company-wide. |