How do I come up with effective IT policies?
February 4, 2009 9:33 PM   Subscribe

My organization has tapped me to write and define IT policies and procedures. What are some examples of level-headed policies I can show them and won't turn us into one of those organizations where people end up tunneling to their home computers to check their gmail?

We are not a high security organization. There's no real reason to keep everyone's computers locked down like data fortresses. We don't have to comply with any sort of government regulation. This is all internal busy work. There is some hope though. When I asked what they would like to see, they gave me very general things, "No looking at porn at work," or "No using company e-mail accounts in an inappropriate manner." The executives I am working with have no idea how IT works, which has its downsides, but I think I might be able to spin this to my advantage. On the other hand, I have an executive who sees the receptionist on Facebook all day and wants to "ban The Facebook" (they're paying her $12/hr to watch the phones, which she does and does well, you get paid six figures, take several months of vacation and show up whenever you want, give her a break).

So what are some examples of good policies? Any textbooks or papers someone wants to refer me too? I'm having dreams of Kafka's The Castle here. Right now my policies are technically driven, you get this level of access if you're in this position, you can use up so much network storage, mail attachments are limited to such-and-such MB per message, mailboxes are limited to 20GB, etc. I don't feel as if defining "don't look at porn" is necessary, and I find it incredibly insulting. I also feel as if you expect us to dedicate ourselves to the company, miss family events, we should be treated as professionals. I just need to codify this in HR speak.

Surely someone here has seen effective policies in place that make sense, allow people the freedom to work and not always run against silly policies. I guess my biggest fear is that the policies are so broad, such as "no checking personal e-mails," that it is not enforced through electronic means and thus only enforced selectively and used as a passive-aggressive weapon.
posted by anonymous to Work & Money (14 answers total) 1 user marked this as a favorite
 
You're going to have to say something about personal use, and yes, what you said about tunneling to the home computer for gmail. I've been in situations where they didn't want you on the internet, so you'd spend an hour looking for information Google could hand you in two minutes.

The good policies I have seen have all basically said something along the lines of:

"We pay to you come here to, you know, do some work. We understand that from time to time you might want to check the weather or a personal e-mail or order a gift for the wife. Please don't let this interfere with your work."

"Your colleagues all come here every day to, you know, do some work. There are many things on the internet that are likely to offend, disturb or disgust somebody (and a few that might offend, disturb or disgust everybody). We must insist that you avoid web sites, files, and so forth that are likely to distract your colleagues from, you know, doing some work."

Basically this makes loitering on the internet the same as loitering by the water cooler and covers the porn/racist jokes/etc. angle.

If accountant Bob isn't accounting, the problem is not Facebook (or whatever), it's Bob not doing his job. If he was writing the great American novel, long hand, with a pen and not doing his job, would they ban pens? (At least that's how I'd spin it going up.)
posted by Kid Charlemagne at 10:15 PM on February 4, 2009 [4 favorites]


SANS Institute. Can modify them as you see fit.
posted by txvtchick at 10:17 PM on February 4, 2009


It sounds like what you're after is a nice broad statement reflecting that your computer & internet connection are meant to be for work purposes only. However, limited personal emailing & web browsing are acceptable (at a level which is the discretion of your line manager). That kind of thing; saying that it's a privilege, not a right.

Maybe something encouraging people to restrict their personal stuff to before & after work, lunch & coffee breaks. It needn't be draconian; it's just a statement of company principle.

It's probably worth explicitly stating that the following kinds of things won't be tolerated, just so there's no ambiguity:
* porn
* other material that could be offensive to co-workers (eg racist, homophobic, etc)
* illegal downloading & filesharing
* use of burners for copyright infringement

Other than that, I'd suggest you look up some policies around security - eg don't download software, screensavers etc. Don't write your password down anywhere. Change your password regularly (if this isn't already enforced by your systems). Use a strong password (combo of letters & numbers; not a natural word). Lock your machine when leaving your desk. Don't use your company email address when signing up for non-work-related sites, etc.
posted by UbuRoivas at 10:27 PM on February 4, 2009


Password security is not best addressed by regular changes of strong passwords with no writedown. Pick two, but in real life you can't expect people to handle all three. A written password in my wallet is no less secure than my credit card.
posted by anadem at 11:04 PM on February 4, 2009


Work e-mail addresses are for work. Don't use private e-mail accounts for work related stuff, and don't use work e-mail accounts for private e-mails.

make it clear that policies regarding appropriate workplace behavior apply to behavior on the computer.

Of course you'll also need policies on IMing too, but if you want, that can be handled technically.
posted by gryftir at 11:09 PM on February 4, 2009


Policies like "no porn sites at work" seem pointless and insulting, just like customer service policy stating "don't be rude to customers;" It seems so obvious, but you'd be amazed how they can help. There are people who will claim that since there was no policy, they figured it was allowed.
posted by nax at 2:15 AM on February 5, 2009


Unless the technical limits are just writing down what is already in place, I wouldn't focus on them. The IT policies my dad has written for his work (he's not technical) have all been that kind of vague obvious thing that you'd feel is insulting to write down, but he said every line is a response to actual incidents. Like the one that said something about 'users must not change the Admin password on their work issued laptop and then forget what it is'.

And stuff like how much personal email etc is allowed is not at all obvious, and varies wildly between workplaces. My mother doesn't have an email except her work account, and uses that to coordinate family events, pass round family photos, etc. Think of the debates on Mefi about NSFW: "artistic sex photos are ok at my workplace, you whingers should shut up!", or "how dare you not label a naked baby photo!" Imagine if somebody from one of those workplaces (whichever one you disagree with more strongly) started working at yours. How would you explain the acceptable use policy? What is NSFW at your workplace?
posted by jacalata at 5:41 AM on February 5, 2009


To be fair, "no porn at work" is mostly CYA so the company can say they have policies in place when some cretin shows the secretary his scheisse collection.
posted by electroboy at 6:54 AM on February 5, 2009


Thomas Limoncelli's Practice of System and Network Administration has a few sections devoted to policy but also tons of good stuff associated with policy. In general, it sounds like you've arrived at a point where I'd make a strong recommendation for the book.

And excellent resource from txvtchick above.
posted by ezekieldas at 6:58 AM on February 5, 2009


There have been several password recommendation posts on AskMe, and everywhere else on the web.

The Information Technology Infrastructure Library is exactly what you're talking about. There are other sources of pre-written policies. They may not be exactly what you want, but looking at what they cover is likely to be helpful. Googling IT Policies will find you lots of examples, which you'll want to narrow down.

My employer has acceptable use and email policies, and some other IT policies specific to our work. Nobody cares if you come in on the weekend to play games on the LAN, as long as you maintain network security, and don't cause problems.

You should be looking at any liability you might face. If you have public pcs, what if 1 person is viewing objectionable material, and another person is exposed to it? What if some doofus installs filesharing apps, downloads and also makes copyrighted material available for upload? as well as gets all sorts of malware that infects other machines on the network? What if someone uses the pc at work to stalk an ex-spouse? Or uses the machine at work to invade another computer and cause mischief, or worse? What if your employees are using work pcs to post inside info on MotleyFool? Many of these issues are covered by law, but big companies, especially, have some responsibility to see that their resources are not misused.

Your company should have really serious policies about data security. Hackers keep getting more skilled, new vulnerabilities surface all the time, and as a consumer, I am outraged at businesses that don't safeguard my data. I'm outraged a lot.

I think it's a good idea to clarify the fact that the machine, network, file- & mailservers belong to the company, and that there is no expectation of privacy. Government employees are subject to having email made public, which can get unpleasant. Especially if you are in a union environment, policies generally have to be written so that they are enforce-able. If somebody gets fired for surfing nasty porn, they may sue you if the policy is really vague. Getting sued is expensive, even when you win.

I agree that broad, respectful reminders are good, i.e., The computer, network & servers belong to XYZ Corp., and should be used in a way that does not impair our business functions. Please be mindful of your bandwidth consumption. Your company will have to decide how complex to make the rules.
posted by theora55 at 7:56 AM on February 5, 2009


On not writing down passwords: it's a fact of life that people will still do it, but making it a rule that you keep them in your head means the onus is on the user to keep them secure. It's like the banks requiring that you not write your PIN anywhere, not use your DOB as a PIN, etc. If you do & it leaks, it's your fault; bad luck.

Funny story from a visiting consultant: a company outsourced its helpdesk operations, with a flat fee per call (something like $25). Management was appalled at the first set of invoices from the outsourced mob, and looked into it - 75% of calls were for password resets, eg from people returning from leave. The order went out: "Cut down on these password resets OR ELSE!!!"

The result? Monitors ended up covered with sticky notes scrawled all over with the users' passwords for all their applications.
posted by UbuRoivas at 3:25 PM on February 5, 2009


Alternate take- the company's IT resources are there to increase productivity. Any activity that's not directly business related shouldn't be allowed. Not because management wants to be mean, but for the same reason you aren't supposed to use the postal machine, copier, fax machine, phones, etc., for personal use. It uses up resources that should have been used for supporting the business.

Alternate, alternate take- good policies are good for everyone. And strict policies aren't insulting, quite the opposite. They show respect to the employees that you are stopping the other loafs from wasting time, and that you take your role as employer and their role as employee seriously by telling them exactly what is expected. What's insulting is saying "read our minds" or "you should know better" and then punishing people for doing that inaccurately. Do you think it's insulting and unprofessional to give police officers strict guidelines for use of their firearm? Of course not. You hand a professional a tool, and then you tell them how to and not to use it.
posted by gjc at 4:30 PM on February 5, 2009


Thomas Limoncelli's Practice of System and Network Administration has a few sections devoted to policy but also tons of good stuff associated with policy. In general, it sounds like you've arrived at a point where I'd make a strong recommendation for the book.

Seconding Mister Limoncelli's book, and this recommendation. If you're in the position where you're being asked to write policy, you'll find a wealth of non-policy-related information in there too.
posted by drikorok at 4:34 PM on February 5, 2009


Non-policy-related information that will help you in other areas of your work, even.
posted by drikorok at 4:37 PM on February 5, 2009


« Older Will this tampon kill me?   |   "To boot, or not to boot." Newer »
This thread is closed to new comments.