Your IT policies

Having a clear set of IT policies will help your business make effective use of IT. Additionally, it can protect your company from legal problems, security risks and unnecessary costs.

Why do you need an IT policy?

The main reasons for establishing a set of IT policies are:

• To ensure you use IT effectively. IT policies create a framework within which IT can be used. For example, they explain the best way to get support or training.
• To protect your business. For instance, a computer policy covering data processing helps ensure you use customer data within the bounds of data protection law.
• To protect your staff. An IT policy covering acceptable use will ensure your staff understand what is permitted and how much privacy they can expect when using company IT.
• To help buy, support and use IT. Many companies have an IT policy covering purchasing and support. This helps you spend your budget effectively and handle problems consistently.

IT and computer policy areas

The exact areas your IT policies should cover will depend on the nature of your business and how you use IT. For instance, if you allow homeworking, you will need a policy to explain when it is permitted and how it works in practice.

Most businesses have IT policies covering a few common areas:

• Email use and internet policy: what employees can and can’t do.
• Data protection: staying within the law and keeping data safe.
• Security: minimising the threat from viruses, hackers and so on.
• Purchasing: procedures for selecting and buying IT.
• Training and support: how employees should seek help and advice.
• Software: what software can be used in your company.

How to write a computer policy

It’s a good idea to create several policies rather cramming everything into one big IT and computer policy. Each should be a usable document which staff can read, understand and put into practice.

Build support for a new IT policy by involving everyone who might be affected. You could hold a meeting about the policy, or invite comments on a first draft.

Make sure each IT policy reflects how your business processes actually work. Preparing formal policies can be a good opportunity to review whether you should change how you do things.

There’s no point, for instance, in creating a super-cautious security policy if your staff are likely to circumvent or ignore it in order to do their jobs. In this case, your goal should be to build a secure environment without being overly restrictive.

You may wish to seek advice from legal and HR professionals when preparing your IT policy, particularly when dealing with areas covered by legislation, like data protection or employment law.

Implementing an IT policy

If you’re introducing a new computer policy, it’s not enough to send it to your staff and assume they will take notice. Policies can be ignored for lots of reasons – many of them innocent or well-meaning – as well as being misinterpreted or simply forgotten.

To communicate a new policy, run training sessions to explain its implications. Your employees need to understand why each IT policy exists, as well as what it says.

Use practical examples and consider checking employees’ understanding of your policies. Train up new starters and get staff to sign to confirm they have read and understand all your policies.

Review each IT policy annually to ensure it still fits with your business. Encourage staff to report issues. Are policies creating barriers to getting work done? Are they being followed correctly?