Date: May 14, 2012 - 6 pm
Category: Advice, Information Management, Information Security, Labour, Policies, Services
Types of policies
There are different types of policies in an organization, such as HR Policies, Finance Policies, IT Policies, Information Security Policies and Information Management Policies.
- “HR policies” focus on issues such as leave, safety and health, smoking, sexual harassment and HIV/AIDS
- “Information security policies” focus on managing and protecting and preserving data belonging to the organization which is generated by those employees in the course and scope of their employment;
- “IT policies” are closely related to “information security policies”, but focus on the supporting processes (e.g. procurement policies) and supporting systems;
- “Information Management policies” focus managing data such as its retention and destruction.
There is an overlap between HR policies and information security policies to the extent that the “human factor” is common to both of them and both therefore cover issues involved in the employer and employee relationship. In our experience, the HR and IT Departments are not good at “speaking to one another” the end result being that a lot of important information security related risks posed by employees through their use of technology are not dealt with and “fall through the cracks“.
We draft information security and information management policies through a “legal lens” focusing on legal compliance and legal risk issues.
Information security policies
Based on discussions we have had with information security experts, we have identified 22 essential policies. These are some of the more important ones:
- Access control;
- Acceptable usage;
- Bring your own device (BYOD);
- Computer usage;
- E-mail usage;
- Incident response (or breach management policy under POPI);
- Internet usage;
- Mobile technology;
- Physical and environmental;
- External facing and internal facing Privacy policies;
- Social media.
We advocate an approach which clearly differentiates between issue specific, operational policies, standards and procedures, each of which should be set forth in separate documents. However, certain client’s specifically want one policy that covers several areas that we normally cover in separate policies. For them we have developed an “Electronic Communications Policy” (or “ECP”).
Information management policies
The following are examples of the types of policies we draft or review:
- Records Management Policy
A “top level” policy which deals with the retention and destruction of business records and cross-refers to other related policies and documents which include:
- retention schedules (a listing of the records maintained by an organisation as required by law or for business purposes, together with the period of time that each series is to be maintained and by when such series may be reviewed for destruction or archival retention) *
- a records migration policy (to cover those situations where the technologies upon which records are dependent become obsolete and the records need to be migrated to new technology in order to ensure their continued accessibility and readability);
- records conversion policy (to cover those situations where records need to be converted from one form or format to another – i.e. scanning which is a form of analogue/paper to digital conversion otherwise known as digitisation);
- record retention and destruction procedures (to ensure that records are destroyed in a legally compliant manner - not all records are “equal” and should not be destroyed in the same way and different record characteristics such as volume, media and sensitivity classifications need to be taken into account when determining the destruction procedures and mechanisms);
- records hold policy and procedures (inter alia cover those situations where an organisation has to stop document destruction that ordinarily takes place when legal proceedings are contemplated or instituted).
* Much confusion exists as to what a retention schedule should contain and the way in which it should be formatted. Many organisations make use of a document produced by Deloittes and Metrofile and are under the mistaken assumption that this document is a retention schedule. This document is not a retention schedule. It is a (very useful) listing of some of the legal retention periods that apply to business records.):
- Digitisation (or document imaging) policy
- E-mail archiving policy
- Electronic signature guidelines