How do I come up with effective IT policies?
February 4, 2009 9:33 PM   Subscribe

You're going to have to say something about personal use, and yes, what you said about tunneling to the home computer for gmail. I've been in situations where they didn't want you on the internet, so you'd spend an hour looking for information Google could hand you in two minutes.

The good policies I have seen have all basically said something along the lines of:

"We pay to you come here to, you know, do some work. We understand that from time to time you might want to check the weather or a personal e-mail or order a gift for the wife. Please don't let this interfere with your work."

"Your colleagues all come here every day to, you know, do some work. There are many things on the internet that are likely to offend, disturb or disgust somebody (and a few that might offend, disturb or disgust everybody). We must insist that you avoid web sites, files, and so forth that are likely to distract your colleagues from, you know, doing some work."

Basically this makes loitering on the internet the same as loitering by the water cooler and covers the porn/racist jokes/etc. angle.

If accountant Bob isn't accounting, the problem is not Facebook (or whatever), it's Bob not doing his job. If he was writing the great American novel, long hand, with a pen and not doing his job, would they ban pens? (At least that's how I'd spin it going up.)
posted by Kid Charlemagne at 10:15 PM on February 4 [4 favorites]

SANS Institute. Can modify them as you see fit.
posted by txvtchick at 10:17 PM on February 4

It sounds like what you're after is a nice broad statement reflecting that your computer & internet connection are meant to be for work purposes only. However, limited personal emailing & web browsing are acceptable (at a level which is the discretion of your line manager). That kind of thing; saying that it's a privilege, not a right.

Maybe something encouraging people to restrict their personal stuff to before & after work, lunch & coffee breaks. It needn't be draconian; it's just a statement of company principle.

It's probably worth explicitly stating that the following kinds of things won't be tolerated, just so there's no ambiguity:
* porn
* other material that could be offensive to co-workers (eg racist, homophobic, etc)
* illegal downloading & filesharing
* use of burners for copyright infringement

Other than that, I'd suggest you look up some policies around security - eg don't download software, screensavers etc. Don't write your password down anywhere. Change your password regularly (if this isn't already enforced by your systems). Use a strong password (combo of letters & numbers; not a natural word). Lock your machine when leaving your desk. Don't use your company email address when signing up for non-work-related sites, etc.
posted by UbuRoivas at 10:27 PM on February 4

Password security is not best addressed by regular changes of strong passwords with no writedown. Pick two, but in real life you can't expect people to handle all three. A written password in my wallet is no less secure than my credit card.
posted by anadem at 11:04 PM on February 4

Work e-mail addresses are for work. Don't use private e-mail accounts for work related stuff, and don't use work e-mail accounts for private e-mails.

make it clear that policies regarding appropriate workplace behavior apply to behavior on the computer.

Of course you'll also need policies on IMing too, but if you want, that can be handled technically.
posted by gryftir at 11:09 PM on February 4

Policies like "no porn sites at work" seem pointless and insulting, just like customer service policy stating "don't be rude to customers;" It seems so obvious, but you'd be amazed how they can help. There are people who will claim that since there was no policy, they figured it was allowed.
posted by nax at 2:15 AM on February 5

Unless the technical limits are just writing down what is already in place, I wouldn't focus on them. The IT policies my dad has written for his work (he's not technical) have all been that kind of vague obvious thing that you'd feel is insulting to write down, but he said every line is a response to actual incidents. Like the one that said something about 'users must not change the Admin password on their work issued laptop and then forget what it is'.

And stuff like how much personal email etc is allowed is not at all obvious, and varies wildly between workplaces. My mother doesn't have an email except her work account, and uses that to coordinate family events, pass round family photos, etc. Think of the debates on Mefi about NSFW: "artistic sex photos are ok at my workplace, you whingers should shut up!", or "how dare you not label a naked baby photo!" Imagine if somebody from one of those workplaces (whichever one you disagree with more strongly) started working at yours. How would you explain the acceptable use policy? What is NSFW at your workplace?
posted by jacalata at 5:41 AM on February 5

To be fair, "no porn at work" is mostly CYA so the company can say they have policies in place when some cretin shows the secretary his scheisse collection.
posted by electroboy at 6:54 AM on February 5

Thomas Limoncelli's Practice of System and Network Administration has a few sections devoted to policy but also tons of good stuff associated with policy. In general, it sounds like you've arrived at a point where I'd make a strong recommendation for the book.

And excellent resource from txvtchick above.
posted by ezekieldas at 6:58 AM on February 5

Don't write your password down anywhere.

This may be counter-intuitive, but it's often better if people write down their passwords, especially if they're long and complex. As an example, if the policy requires passwords that are eight characters and include a number, try these passwords and you're probably in the account by the fourth one:

username1
username2
username3
username4

If you encourage people to make complex passwords encourage them to write them down and store them in a safe location, like their wallet or purse.
posted by odinsdream at 6:58 AM on February 5

There have been several password recommendation posts on AskMe, and everywhere else on the web.

The Information Technology Infrastructure Library is exactly what you're talking about. There are other sources of pre-written policies. They may not be exactly what you want, but looking at what they cover is likely to be helpful. Googling IT Policies will find you lots of examples, which you'll want to narrow down.

My employer has acceptable use and email policies, and some other IT policies specific to our work. Nobody cares if you come in on the weekend to play games on the LAN, as long as you maintain network security, and don't cause problems.

You should be looking at any liability you might face. If you have public pcs, what if 1 person is viewing objectionable material, and another person is exposed to it? What if some doofus installs filesharing apps, downloads and also makes copyrighted material available for upload? as well as gets all sorts of malware that infects other machines on the network? What if someone uses the pc at work to stalk an ex-spouse? Or uses the machine at work to invade another computer and cause mischief, or worse? What if your employees are using work pcs to post inside info on MotleyFool? Many of these issues are covered by law, but big companies, especially, have some responsibility to see that their resources are not misused.

Your company should have really serious policies about data security. Hackers keep getting more skilled, new vulnerabilities surface all the time, and as a consumer, I am outraged at businesses that don't safeguard my data. I'm outraged a lot.

I think it's a good idea to clarify the fact that the machine, network, file- & mailservers belong to the company, and that there is no expectation of privacy. Government employees are subject to having email made public, which can get unpleasant. Especially if you are in a union environment, policies generally have to be written so that they are enforce-able. If somebody gets fired for surfing nasty porn, they may sue you if the policy is really vague. Getting sued is expensive, even when you win.

I agree that broad, respectful reminders are good, i.e., The computer, network & servers belong to XYZ Corp., and should be used in a way that does not impair our business functions. Please be mindful of your bandwidth consumption. Your company will have to decide how complex to make the rules.
posted by theora55 at 7:56 AM on February 5

On not writing down passwords: it's a fact of life that people will still do it, but making it a rule that you keep them in your head means the onus is on the user to keep them secure. It's like the banks requiring that you not write your PIN anywhere, not use your DOB as a PIN, etc. If you do & it leaks, it's your fault; bad luck.

Funny story from a visiting consultant: a company outsourced its helpdesk operations, with a flat fee per call (something like $25). Management was appalled at the first set of invoices from the outsourced mob, and looked into it - 75% of calls were for password resets, eg from people returning from leave. The order went out: "Cut down on these password resets OR ELSE!!!"

The result? Monitors ended up covered with sticky notes scrawled all over with the users' passwords for all their applications.
posted by UbuRoivas at 3:25 PM on February 5

Alternate take- the company's IT resources are there to increase productivity. Any activity that's not directly business related shouldn't be allowed. Not because management wants to be mean, but for the same reason you aren't supposed to use the postal machine, copier, fax machine, phones, etc., for personal use. It uses up resources that should have been used for supporting the business.

Alternate, alternate take- good policies are good for everyone. And strict policies aren't insulting, quite the opposite. They show respect to the employees that you are stopping the other loafs from wasting time, and that you take your role as employer and their role as employee seriously by telling them exactly what is expected. What's insulting is saying "read our minds" or "you should know better" and then punishing people for doing that inaccurately. Do you think it's insulting and unprofessional to give police officers strict guidelines for use of their firearm? Of course not. You hand a professional a tool, and then you tell them how to and not to use it.
posted by gjc at 4:30 PM on February 5

Thomas Limoncelli's Practice of System and Network Administration has a few sections devoted to policy but also tons of good stuff associated with policy. In general, it sounds like you've arrived at a point where I'd make a strong recommendation for the book.

Seconding Mister Limoncelli's book, and this recommendation. If you're in the position where you're being asked to write policy, you'll find a wealth of non-policy-related information in there too.
posted by drikorok at 4:34 PM on February 5

Non-policy-related information that will help you in other areas of your work, even.
posted by drikorok at 4:37 PM on February 5

« Older So, um, I discovered today tha...   |   I am finally making the jump t... Newer »