There are many different types of IT policies. But first lets look at the different types of policies in an organisation, such as:
- HR policies focus on issues such as leave, safety and health, smoking, sexual harassment and HIV or AIDS.
- Finance policies focus on issues related to paying and receiving money.
- Customer policies, like a complaints, help desk, returns policy or customer acceptable use policy.
- IT policies or ICT policies focus on information, communication or technology.
Categories of IT Policies
IT Policies or ICT policies can be broken down into categories of policies, for example:
- IT Governance, Risk and Compliance (IT GRC) policies.
- Project and Change Management policies.
- IT Goods or Services Acquisition policies.
- Availability management policies, like disaster recovery (DR), business continuity (BC).
- Acceptable Use policies, like an email usage policy or computer usage policy.
- Information Security policies focus on managing and protecting and preserving information (including personal information) belonging to the organisation, which is generated by those employees in the course and scope of their employment.
- Information Management policies focus managing data such as its retention and destruction.
We draft or review IT policies or ICT Policies through a “legal lens” focusing on legal compliance and legal risk issues in accordance with our Policy Framework.
There is an overlap between HR policies and IT policies to the extent that the “human factor” is common to both of them and both therefore cover issues involved in the employer and employee relationship. In our experience, the HR and IT Departments are not good at “speaking to one another” the end result being that a lot of important IT related risks posed by employees through their use of technology are not dealt with and “fall through the cracks“.
Issue and audience
There are two key questions relating to any policy:
- What is the issue to be addressed?
- Who is the intended audience? Who must comply with the policy?
Some Issue Specific IT policies
We have identified many essential issue specific policies. These are some of the more specific important ones:
- Access control
- Acceptable Use of IT
- Use of Software
- Protection from Malicious Software
- Bring your own device (BYOD) or personally owned devices
- Computer use
- Email use
- Incident response (or breach management policy under POPI)
- Internet use
- Technology or device management (like laptops, cell phones, or cameras)
- Mobile technology
- Monitoring or interception of communications
- Physical and environmental security
- User accounts and passwords
- Backing up of information
- External facing and internal facing privacy policies
- POPI Policies
- Social media
Combined IT Policy
We advocate an approach which clearly differentiates between issue specific, operational policies, standards and procedures, each of which should be set forth in separate documents.
However, certain client’s specifically want one policy that covers several areas of acceptable use that we normally cover in separate policies. For them, we have developed a combined document (sometimes called a Acceptable Use of IT Policy or an Electronic Communications Policy (ECP)). It is essentially many specific policies wrapped into one document directed at one intended audience (like users).
Characteristics of good ones
They should be:
- short and to the point
- in plain and understandable language
- well structured
- in accordance with and inline with the latest laws and rules
- clear on what is permitted and what is not
- specific, relevant and applicable to the target audience
Information management policies
We draft or review Records Management Policies, which are a “top level” policy thats deals with the retention and destruction of business records and cross-refers to other related policies and documents which include:
- retention schedules (a listing of the records maintained by an organisation as required by law or for business purposes, together with the period of time that each series is to be maintained and by when such series may be reviewed for destruction or archival retention). Much confusion exists as to what a retention schedule should contain and the way in which it should be formatted. Many organisations make use of a document produced by Deloittes and Metrofile and are under the mistaken assumption that this document is a retention schedule. This document is not a retention schedule. It is a (very useful) listing of some of the legal retention periods that apply to business records.
- a records migration policy (to cover those situations where the technologies upon which records are dependent become obsolete and the records need to be migrated to new technology in order to ensure their continued accessibility and readability);
- records conversion policy (to cover those situations where records need to be converted from one form or format to another – i.e. scanning which is a form of analogue/paper to digital conversion otherwise known as digitisation);
- record retention and destruction procedures (to ensure that records are destroyed in a legally compliant manner – not all records are “equal” and should not be destroyed in the same way and different record characteristics such as volume, media and sensitivity classifications need to be taken into account when determining the destruction procedures and mechanisms);
- records hold policy and procedures (inter alia cover those situations where an organisation has to stop document destruction that ordinarily takes place when legal proceedings are contemplated or instituted).
We also draft or review:
- Digitisation (or document imaging) policies
- Email archiving policies
- Electronic signature guidelines
If you are interested,
We will contact you to find out more about your requirements.