There are many different types of policies in an organisation, including IT ones. The different categories and names get confusing and many organisations end up with so many policies. For this reason, it is crucial to have a good policy framework or structure. We want to have well written policies that invite compliance. We can achieve this by making them easy to understand, concise and informative. Let’s begin by looking at the different types of policies in an organisation.
Types of policies
You get all types of policies dealing with many different issues.
- IT policies or ICT policies focus on information, communication or technology. We talk more about these later.
- Policies of the governing body that set the strategic direction for an organisation, like a compliance policy or an anti-bribery and corruption policy.
- HR policies focus on issues such as leave, safety and health, smoking, sexual harassment and HIV or AIDS, and recruitment and selection policy.
- Finance policies focus on issues related to paying and receiving money, like a fraud prevention policy
- Customer policies like a complaints resolution policy, help desk policy, returns policy or customer acceptable use policy.
- Standard operating procedures (or SOPs) that set out how different things are done.
Actions you can take
- Update your policies by asking us to review it. You might want to start with just one.
- Put a good one in place by asking us to draft one for you.
Characteristics of good policies
Before we deal with IT policies exclusively, here are some rules that should apply to all policies. They’re general good practice for all rule making.
- When making rules, they should be strict without sounding rude or disrespectful. They should never sound like the rules that adults make for children. We agree with Lewis S Eisen when he says:
Well written policies don’t sound like angry parents talking to naughty children. Well written policies sound like adults respectfully talking to adults.
- Rules should be clear. The statements should educate, have one simple interpretation and not leave the reader confused.
- Rules should be succinct. Each point should be dealt with as briefly as possible, without sacrificing detail. People do not want to read lengthy paragraphs.
Well written policy instruments can more easily be navigated, maintained and retired as necessary.
We specialise in writing and re-writing policies that don’t talk down to people because we understand the value of speaking respectfully to both our colleagues and our customers.
Our three guiding principles are that policies should be respectful, clear and succinct.
This means they should aim to be:
- specific, relevant and applicable to the target audience
- in plain and understandable language
- in accordance with and in line with the latest laws and rules
- clear on what is permitted and what is not
- well structured
- short and to the point
Categories of IT policies
Let’s look at some IT Policies or ICT policies. They can be broken down into categories of policies, for example:
- Information security policies focus on managing and protecting and preserving information (including personal information) belonging to the organisation, which is processed by those employees in the course and scope of their employment. Examples include an incident response policy or an access control policy.
- Information management policies, like a record retention and destruction policy.
- Data governance policy like a master data policy, data classification policy or framework or data sharing policy.
- Acceptable use policies, like a backup policy, asset disposal policy, BYOD policy, clean desk policy, electronic communications policy, email usage policy, Internet usage policy, or social media policy
- Freedom of information policies, like an Access to information manual (PAIA Manual) or a public disclosure policy.
- IT Governance, Risk and Compliance (IT GRC) policies, like a compliance policy.
- Contract management policies, like a document review policy.
- Project and Change Management policies.
- IT Goods or Services Acquisition policies.
- Availability management policies, like disaster recovery policy (DR), business continuity (BC).
There is an overlap between HR policies and IT policies to the extent that the “human factor” is common to both of them and both therefore cover issues involved in the employer and employee relationship. In our experience, the HR and IT Departments are not good at “speaking to one another” the end result being that a lot of important IT related risks posed by employees through their use of technology are not dealt with and “fall through the cracks“.
Issue and audience
There are two key questions relating to any policy:
- What is the issue to be addressed?
- Who is the intended audience? Who must comply with the policy?
Some Issue-specific IT policies
There are many essential issue-specific policies.
- Access control
- Acceptable Use of IT
- Use of Software
- Protection from Malicious Software
- Bring your own device (BYOD) or personally owned devices
- Computer use
- Email use
- Incident response (or breach management policy under POPI)
- Internet use
- Technology or device management (like laptops, cell phones, or cameras)
- Mobile technology
- Monitoring or interception of communications
- Physical and environmental security
- User accounts and passwords
- Backing up of information
- External facing and internal facing privacy policies
- Protection of Personal Information Policy or Data Protection Policy
- Social media
- Digitisation (or document imaging) policies
- Email archiving policies
- Electronic signature guidelines
Combined IT Policy
We advocate an approach which clearly differentiates between issue-specific, operational policies, standards and procedures, each of which should be set forth in separate documents. However, certain clients specifically want one policy that covers several areas of acceptable use that we normally cover in separate policies. For them, we have developed a combined document (sometimes called an Acceptable Use of IT Policy or an Electronic Communications Policy (ECP)). It is essentially many specific policies wrapped into one document directed at one intended audience (like users).