Types of IT Policies

Types of IT Policies 2017-11-17T07:31:17+00:00

There are many different types of IT policies. But first, let us look at the different types of policies in an organisation.

Types of Policies

You get all types of policies dealing with many different issues.

  • HR policies focus on issues such as leave, safety and health, smoking, sexual harassment and HIV or AIDS.
  • Finance policies focus on issues related to paying and receiving money.
  • Customer policies like a complaints, help desk, returns or customer acceptable use policy.
  • IT policies or ICT policies focus on information, communication or technology.

Categories of IT Policies

IT Policies or ICT policies can be broken down into categories of policies, for example:

  • IT Governance, Risk and Compliance (IT GRC) policies, like a compliance policy.
  • Project and Change Management policies.
  • IT Goods or Services Acquisition policies.
  • Availability management policies, like disaster recovery (DR), business continuity (BC).
  • Acceptable Use policies, like an email usage policy or computer usage policy.
  • Information Security policies focus on managing and protecting and preserving information (including personal information) belonging to the organisation, which is generated by those employees in the course and scope of their employment.
  • Information Management policies focus on managing data such as its retention and destruction.

We draft or review IT policies or ICT Policies through a “legal lens” focusing on legal compliance and legal risk issues in accordance with our Policy Framework.

There is an overlap between HR policies and IT policies to the extent that the “human factor” is common to both of them and both therefore cover issues involved in the employer and employee relationship. In our experience, the HR and IT Departments are not good at “speaking to one another” the end result being that a lot of important IT related risks posed by employees through their use of technology are not dealt with and “fall through the cracks“.

Issue and audience

There are two key questions relating to any policy:

  1. What is the issue to be addressed?
  2. Who is the intended audience? Who must comply with the policy?

Some Issue-specific IT policies

There are many essential issue-specific policies. We can help you to draft or review these.

  1. Access control
  2. Acceptable Use of IT
  3. Use of Software
  4. Protection from Malicious Software
  5. Bring your own device (BYOD) or personally owned devices
  6. Mobility
  7. Telecommuting
  8. Computer use
  9. Email use
  10. Incident response (or breach management policy under POPI)
  11. Internet use
  12. Technology or device management (like laptops, cell phones, or cameras)
  13. Mobile technology
  14. Monitoring or interception of communications
  15. Physical and environmental security
  16. User accounts and passwords
  17. Backing up of information
  18. External facing and internal facing privacy policies
  19. Protection of Personal Information Policy or Data Protection Policy
  20. Social media
  21. Digitisation (or document imaging) policies
  22. Email archiving policies
  23. Electronic signature guidelines

Combined IT Policy

We advocate an approach which clearly differentiates between issue-specific, operational policies, standards and procedures, each of which should be set forth in separate documents. However, certain clients specifically want one policy that covers several areas of acceptable use that we normally cover in separate policies. For them, we have developed a combined document (sometimes called an Acceptable Use of IT Policy or an Electronic Communications Policy (ECP)). It is essentially many specific policies wrapped into one document directed at one intended audience (like users).

Characteristics of good Policies

They should be:

  • short and to the point
  • in plain and understandable language
  • well structured
  • consistent
  • in accordance with and inline with the latest laws and rules
  • clear on what is permitted and what is not
  • specific, relevant and applicable to the target audience