Having too few or too many IT policies can lead to problems. Here is a common-sense approach you can use to determine which IT policies your company needs.
Having too few IT policies can lead to problems. Policies are needed because the rules and requirements documented in them help ensure that a company’s IT resources are being used appropriately, productively, and securely.
Having too many IT policies can also be problematic. Policy overload can make employees feel that they are not trusted or allowed to think on their own, which can cause discontentment. It can also lead to employees not reading the policies, which means they might not be adhering to crucial ones.
To find the right balance, you can use a common-sense approach to determine which IT policies your company needs. This approach is also useful when determining what to include in those policies.
What to Do
Lists of must-have IT policies are easy to find. However, creating IT policies based on a one-size-fits-all list can result in unnecessary or missing policies. A better approach is to first identify the situations in which your company needs documented rules and requirements and then create policies to meet those needs. Common situations include:
The need to comply with laws or regulations that include IT-related requirements. An increasing number of laws and regulations are including IT-related requirements, such as the need to protect people’s privacy and properly secure their personal data.
If your company must comply with any laws or regulations that include IT-related requirements, you should check to see whether they mandate the creation of certain IT policies. For example, if you collect personal information from California residents on your company’s website, California state law requires you to post a privacy policy on that site that lets people know the types of personal data being collected and other pertinent information. Similarly, both the Security Rule and Privacy Rule of the US Health Insurance Portability and Accountability Act (HIPAA) stipulate that organizations under its jurisdiction must establish and implement policies to comply with the rules’ provisions. Even if a law or regulation does not specifically state that certain policies must be created, it is a good idea to do so. Having IT policies in place will help ensure compliance.
The need to document and formalize privacy practices. Laws and regulations like HIPAA are impacting most businesses, even those that do not have to comply. They are bringing to light people’s desire to have more control over their personal data and the assurance that their data is being properly handled and secured. If you want to let your customers and employees know that you are serious about protecting their privacy and personal data, it is important to create a privacy policy, assuming the information is not covered elsewhere (e.g., in the policies mandated by HIPAA). In the privacy policy, you can document how your company is collecting, storing, using, and disposing of customers’ and employees’ personal data.
Office flickr photo by Leonid Mamchenkov shared under a Creative Commons (BY) license