Home | Current Issue | Submission | Contact Us

IT Policies Help IT Staff and Reduce Liabilities

"What do you mean I can't download ... fill-in-the-blank?" As IT managers we are constantly berated by users because they want to do something on their company computer that we know they shouldn't. But getting users to conform to reasonable standards is a real challenge for most IT departments. We live in the information age and with the benefits of technology come the associated risks and liabilities. The same tools that allow productivity gains have the potential to diminish worker productivity and to expose the company to harmful content as well as regulatory and legal liabilities.

Many business executives do not yet grasp the importance of protecting Information Technology assets from liabilities and need to focus on the legalities surrounding IT as well as the use of IT systems by employees. If you take a moment to read any newspaper you will likely find several instances in which either by ignorance or design, employees have used company IT assets in a way that puts the company at risk, or worse: gets them in serious hot water.

So why aren't companies focusing on these risks? In my experience a large part of the problem lies in staff not knowing how to begin writing acceptable use policies for IT systems. Then add to that hurdle the facts of constrained budgets, limited staff and that a typical IT manager will likely assume the company legal department will advise of any need to change policies or the management of IT assets. And at the same time, management is occupied with running the business and assumes that IT and legal will manage any issues related to these assets. Unfortunately, the legal department typically understands the broader laws but does not necessarily focus on day-to-day IT operational issues.

Liabilities will be reduced if the focus of IT, legal and the business side of the house are pulled together, to put into place reasonable and effective policies, procedures, disciplinary standards and company-wide educational programs. In addition, in doing so will give IT managers a defendable position against those users who berate them! Policies and procedures are a critical first step in protecting the organization's vital enterprise IT assets. These same policies, while protecting assets and assisting IT staff in managing user "problems," are also used as a defense against potential legal liabilities.

A legally compliant IT department must address several areas of concern, such as software license compliance, the appropriate use of the Internet and e-mail, data protection, privacy and more.

Though proper software licensing is the most frequently considered topic of IT compliance, companies face other equally important IT asset liability issues. Inappropriate use of e-mail and the Internet is as widespread a problem as copyright violations (software piracy). Bandwidth abuse and lost employee productivity are two additional areas of concern for most employers. Not only should a policy cover appropriate use but inappropriate use as well.

E-mail content filtering has become a popular solution for blocking documents containing obscene, racist, offensive or explicit words and phrases as well as for virus prevention. Another benefit of e-mail content filtering is the reduction of leaks of confidential company data. Statistics reveal that most security breaches originate from within the organization, therefore an organization must also monitor what files are leaving the network.

Significant case law supports the verity that e-mail and Internet monitoring is legal when a company provides the systems on which the employee uses these products. An employee does not have a "reasonable expectation of privacy" when using these tools. However, it is essential that the employee be advised of the company policies on these issues and that the policies are clear, well disseminated and supported company-wide.

Privacy and other forms of data protection are another big area of concern for businesses. Fines from regulatory bodies and loss of competitive data have continued to push organizations to increase control over these assets, to reduce associated liabilities and risks.

The way to efficiently educate users is to adopt, implement and enforce policies and procedures detailing the "Dos and Don'ts" of computer conduct and explaining how the organization deals with the complete lifecycle of its IT assets.

Regardless of the size of your organization, start by creating a project team to administer the implementation of an IT compliance program. The size of the team will vary from one company to the next, but regardless of the size, the organization will need to commit appropriate resources, both human and financial, for the project to be a success.

The project team should consist of a senior member of the IT department, to provide top-level exposure; of human resources, to ensure no policy violates existing regulations and to ensure that there are appropriate steps in place to discipline violators; of legal counsel, to ensure that policies and procedures drafted by the team are thoroughly reviewed and consecrated; and representatives from large departments, administration, security, training, IT, etc. If more than one physical location exists, be sure to include a member from each site to ensure that their specific needs and limitations are considered as well.

Following is a list of the areas that should be covered. (Note: this list may not be comprehensive for every environment and some areas may not apply to every organization):

Begin with an overall opening statement by the CEO (or equivalent) of the organization to not only add valuable corporate weight to the policies but also to show that these policies come from the very top and are being embraced by everyone in the organization, including the Board.

Then create policies for the following essential areas:

Software requisition, acquisition, delivery, installation and license compliance - Explain that software acquisition is restricted in order to ensure that the company has a complete record of all software that has been purchased for company computers and can register, support and upgrade said software.

Software and Hardware Disposal - Often forgotten, this policy makes sure that software/hardware is disposed of in a controlled manner. An organization may have additional disposal requirements and/or options.

Shareware, Freeware, Public Domain, Games, Fonts, Screensavers and Wallpaper - This policy is important, since users often think that because software is "free" or on evaluation, it falls outside the boundaries of the organization's software policies, and they are unaware of the licensing issues surrounding these types of software. In many cases, these are copyrighted materials and may be used only in accordance with the license agreement of the publisher.

Passwords, Security, Viruses - This policy must detail the importance of passwords, how they are administered, how often they are changed and of what characters they should consist. Stress the importance of user's keeping their passwords safe. Detail how the organization protects itself against virus attack. The omnipresence of the Internet and web-based applications can open backdoors to the corporate IT infrastructure. Employees can either willfully or by neglect expose the organization to rapidly spreading viruses or other malicious and harmful code by accessing or downloading files of unknown origin.

Data Protection - Detail the importance of your organization's data. Also, cover how employees must treat specific types of data, such as customer information, research material, legal documents and records, etc. Because each organization will guard particular information based upon the type of business, explore each topic in detail within the organization.

Internet, Instant Messaging, P2P Software - Most organizations in today's business climate will have some type of Internet policy likely covering areas such as pornography, picture and media files (GIF, BMP, PCX, JPEG, MP3, etc.), personal use and more. Companies must also be concerned with the ease of obtaining software of all types from the Internet.

E-mail - As with the Internet, there are many liabilities surrounding e-mail use. Companies should be aware of the pitfalls of improper data protection, defamatory comments, inappropriate bandwidth usage, viruses, etc. Increasingly, subject matter considered inappropriate for consumption or distribution within an organization is received, forwarded, mishandled, etc. The type of website content that is inappropriate within an organization is also unsuitable content for an e-mail.