Clear IT Policies Set Clear Expectations

Setting policies that work with your business begins with identifying what assets and information you want to protect. This may include computers, mobile devices, HR and payroll systems, customer data including payment and personal information (PII), and proprietary business information. Once you’ve identified the assets and information that need protecting, identify who should have access to that information and establish guidelines for usage.

Some common IT Policies are:

• Physical Security
• Passwords Usage
• Internet Use
• Email Use
• Corporate Devices Policy
• Personal Devices (BYOD) Policy
• Data Security and Transfer Guidelines
• Training Requirements

Physical Security

Establish policies that guide employees to secure laptops and devices, when they are in and out of office. A company laptop sitting on the passenger seat of a car is attractive to a thief and they could cause significant damage to your business if that laptop and account have access to confidential information. In the office, employees should be in the habit of screen locking their computers whenever they leave their desk – a customer or service employee in the building should not be able to walk up to an unattended computer and access your databases and information.

Password Policy

The current recommendation on changing passwords has evolved significantly. According to the latest guidelines from the National Institute of Standards and Technology (NIST), the practice of regularly changing passwords is no longer advised unless there is evidence of a compromise. Here are the key points:

• Change Only When Necessary: Passwords should be changed only if there is a suspected or confirmed breach.
• Focus on Password Length: Longer passwords are preferred over complex ones. NIST recommends a minimum password length of 8 characters, with a preference for even longer passwords.
• Avoid Common Passwords: Ensure passwords are not easily guessable or commonly used. Organizations should maintain a blocklist of weak passwords.
• Use Two-Factor Authentication (2FA): Implementing 2FA adds an extra layer of security, reducing the need for frequent password changes.

Finally, employees should be instructed to never share passwords or accounts with other employees, family members, or even the IT department! Every employee is required to have their own account and their own password.

Internet Use Policy

This policy helps employees know what behavior is permitted or prohibited on company owned computers, devices, and networks. These guidelines address personal use, social media, and unapproved software.

When it comes to personal use of company computers and network, there is no one-size-fits-all policy. An employee accessing their bank account to complete a transaction during their lunch break may increase productivity because they did not have to leave the office to drive across town. At the same time, excessive web surfing during work hours can reduce employee productivity, which affects your bottom line. Social media including Facebook, X, Instagram, Bluesky and others may be permissible or prohibited. Some roles may even require access – your marketing team which posts to your social media accounts need access to these services.

Installing unapproved software can result in accidentally installing malware or unlicensed copies of software. Policies should identify which software can be installed and how to request exceptions to install nonstandard programs that the employee uses to do their job.

Email Use Policy

This policy helps employees know what behavior is permitted or prohibited when using their company provided email account and system. Using their company email to conduct unrelated commercial activity and other misuse of their business email address can increase legal and security risks for your business.

Corporate Devices Policy

These policies govern the use and monitoring of corporate owned computers and devices. Guidance on what may be installed on these systems, how employees may use them, and whether they have an expectation to privacy on these devices should be communicated up front. This policy informs employees on what they should do in the event of a lost or stolen company device.

Ariel IT Services can help you implement Mobile Device Management to help manage the risk of critical information on lost or stolen devices.

Personal Devices Policy

Employees using personal smartphones and computers (BYOD) to access their work email, documents, and customer data will be more vigilant in protecting your business’s confidential information if they understand how and when using their personal devices is appropriate. Use this policy to identify the types of devices permitted, what security measures and prerequisites are required for employee devices to be approved, and what employees should do if their devices are lost, stolen, or compromised.

If your company does have a Mobile Device Management solution and enrolls personal devices in this program, inform your employees in your written policy when their device might be accessed, and under what circumstances data might be deleted on that device.

Data Security and Transfer

Set policies that define if business data can be transferred via external networks or only on the company’s network. Determine if your business will allow removable media including USB keys to transfer data between employees or external parties. USB keys can store large amounts of data but can be easily misplaced. Shared drives including One Drive, DropBox, Google Drive, and Apple iCloud can facilitate sharing data and improve productivity if your policies define permissible use.

Training Policy

Defining and writing policies is the first step, but they will not guide behavior unless your employees are informed of new policies, updates, and trained to follow them. Policies must have clearly defined consequences for violations, from verbal and written disciplinary action up to and including dismissal for malicious or repeat offenders. Include training for new employees and annual training for existing employees as part of your adoption plan.

Ready to Get Started?

If you are ready to get started creating the right policies for your business, Ariel IT will work with your leadership team to understand your business and recommend best practices to protect your data and computer systems.

IT Policies in Broomfield, Denver CO and Surrounding Areas