Home » Business » Digital Transformation » Formulating a Great IT Policy
A sound IT policy should underpin all facets of modern business. When supported by engaged and informed employees, the policy will ensure your organisation’s security in a way that lives up to industry regulations.
An IT policy may include the following elements:
An accepted user policy (AUP) determines how technology in the organisation is used, incorporating guidelines on computers, the internet, telephones, fax machines, voicemails and emails, along with penalties for any misuse.
The AUP should also include details on how the policy is enforced, with the firm’s interests taking priority. Social media clauses are playing an increasing role in AUPs, and constitute one area of policy that may need regular revision, to accommodate for changing technologies, trends and user behaviours.
An AUP details the acceptable use of technology in your business. It should hold guidelines on all technology (computers, telephones, fax machines, internet, email and voicemail) as well as the consequences for any misuse. As such, all employees can be held accountable for their use of technology.
As detailed in the Data Protection act of 1998, data should be:
- Used fairly and lawfully
- Used for limited, specifically stated purposes
- Used in a way that is adequate, relevant and not excessive
- Kept for no longer than is absolutely necessary
- Handled according to people’s data protection rights
- Kept safe and secure
- Not transferred outside the European Economic Area without adequate protection
Organisations may be obliged to tell the Information Commissioners Office (ICO) about data held by the firm, while internally, guidelines need to be put in place for the protection of sensitive data, including network access privileges, passwords for user and group accounts and virus protection.
These guidelines must align with government standards, as the ICO can “issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6th April 2010.”
We can expect data protection to be hitting the headlines over the coming year, as the new EU General Data Protection Regulation comes into force in May 2018. While just a year away, GDPR will tear up existing legal frameworks on data protection, and many companies do not yet know what they need to do to be compliant with new laws.
Ignoring the developments could hold catastrophic consequences for organisations throughout the UK. The new regulations will replace the current EU Data Protection Directive 95/46/EC, and will directly apply to all EU member states.
To prepare, there are key points that businesses need to be aware of, including accountability, data protection officers (DPOs), consent, enhanced rights for individuals, privacy policies, international transfers, and breach notification.
Firms that have not yet considered these future obligations are strongly advised to start thinking about their compliance under GDPR, at the risk of losing customers or even being issued with huge fines that could severely impact upon the organisation’s bottom line.
In a more standard operating climate, adequate preparation is needed if organisations are to withstand disaster events, should the worst occur. This preparation should be founded on three principles:
Prevention: Measures put in place to minimise the likelihood of disaster taking place
Anticipation: Developing contingencies to enact should disasters occur
Mitigation: Managing disasters so that normal operating procedures can be brought back into play as quickly and smoothly as possible
The sum of these elements will be a robust IT Disaster Recovery Plan, which will hold details on standard practice and how to expedite the recovery process. This DRP will have been tested in advance and will aim to:
- Minimise disruption to business operations
- Minimise risk of delays
- Ensure security levels are optimised throughout
- Ensure recovery is executed as quickly as possible
In turn, the plan should be carried out by a dedicated Disaster Recovery Team, made up of key individuals from all departments including C-suite and management. Together the unit will be responsible for executing a risk audit through the firm that assesses the likelihood of IT disaster occurring and the possible impact on resources.
IT recovery services go from traditional non-hosted colocation to managed colocation services and cloud-based solutions, the latter of which may be a better option depending on the capabilities and needs of individual businesses. Through co-location, firms can put together a replica of their primary data store to be housed offsite, which can take control if needed.
In 2016, private cloud growth increased once again, with 31 per cent of enterprises running more than 1,000 virtual machines, up from 22 per cent in 2015.
Cloud cover is not immune to data leakage, but employing a private cloud system brings down this risk, as it means your organisation stays secured and controlled on servers to which no other organisations have access.
Cloud-based disaster recovery and backup, such as that provided by industry leaders, Dell, can offer far faster recovery times at far lower cost than traditional recovery methods. Cloud technology really brings high-quality recovery within the reach of companies on tighter budgets; backups of mission-critical servers can be put up in minutes on a shared or private cloud host platform.
The best IT policies hinge on an organisation’s ability to focus on crucial processes and technologies, maintain or recover standard procedures after a planned or unplanned event, and balancing risks against the cost.
As such, this drive needs to integrate with everyday running of the business so that enterprise goals are not compromised. When action plans and data protection harmonise with business continuity and objectives, practices can be refined so that a plan grows which not only saves the day if an unfortunate event hits, but also helps firms bring improved efficiency to daily operations.